Zohocorp: >> Manageengine Opmanager >> 11.5 Security Vulnerabilities
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
CVSS Score
9.8
EPSS Score
0.372
Published
2019-08-16
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-12-06
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-11-20
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-11-15
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
CVSS Score
7.5
EPSS Score
0.367
Published
2018-11-06
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
CVSS Score
9.8
EPSS Score
0.128
Published
2018-11-05
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
CVSS Score
7.5
EPSS Score
0.358
Published
2018-09-21
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
CVSS Score
9.8
EPSS Score
0.074
Published
2018-09-20
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
CVSS Score
9.8
EPSS Score
0.017
Published
2017-08-04
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."
CVSS Score
9.0
EPSS Score
0.775
Published
2015-10-09