Shodan
Vulnerabilities
Vulnerable Software
Zohocorp:  >> Manageengine Opmanager  >> 8  Security Vulnerabilities
CVE-2019-15106
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
CVSS Score
9.8
EPSS Score
0.372
Published
2019-08-16
CVE-2018-18980
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
CVSS Score
7.5
EPSS Score
0.367
Published
2018-11-06
CVE-2018-17283
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
CVSS Score
7.5
EPSS Score
0.358
Published
2018-09-21
CVE-2018-17243
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
CVSS Score
9.8
EPSS Score
0.074
Published
2018-09-20
CVE-2015-7766
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
CVSS Score
9.0
EPSS Score
0.775
Published
2015-10-09
CVE-2014-6036
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
CVSS Score
6.4
EPSS Score
0.365
Published
2014-12-04
CVE-2014-6035
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.
CVSS Score
7.5
EPSS Score
0.105
Published
2014-12-04


Products
Pricing
Contact Us

Shodan ® - All rights reserved