Zohocorp: Security Vulnerabilities
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
CVSS Score
7.2
EPSS Score
0.645
Published
2021-06-10
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
CVSS Score
5.4
EPSS Score
0.195
Published
2021-06-07
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
CVSS Score
6.1
EPSS Score
0.015
Published
2021-05-20
Zoho ManageEngine Eventlog Analyzer through 12147 is vulnerable to unauthenticated directory traversal via an entry in a ZIP archive. This leads to remote code execution.
CVSS Score
9.8
EPSS Score
0.039
Published
2021-04-30
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVSS Score
9.8
EPSS Score
0.711
Published
2021-04-22
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
CVSS Score
6.1
EPSS Score
0.353
Published
2021-04-09
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
CVSS Score
9.1
EPSS Score
0.441
Published
2021-04-01
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
CVSS Score
7.8
EPSS Score
0.001
Published
2021-03-18
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
CVSS Score
8.8
EPSS Score
0.003
Published
2021-03-13
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
CVSS Score
6.1
EPSS Score
0.039
Published
2021-03-05