Zohocorp: Security Vulnerabilities
Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.
CVSS Score
9.8
EPSS Score
0.885
Published
2021-04-22
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
CVSS Score
6.1
EPSS Score
0.186
Published
2021-04-09
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
CVSS Score
9.1
EPSS Score
0.552
Published
2021-04-01
The MPS Agent in Zoho ManageEngine Desktop Central MSP build MSP build 10.0.486 is vulnerable to DLL Hijacking: dcinventory.exe and dcconfig.exe try to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because this DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code, leading to an escalation of privilege to NT AUTHORITY\SYSTEM.
CVSS Score
7.8
EPSS Score
0.002
Published
2021-03-18
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
CVSS Score
8.8
EPSS Score
0.017
Published
2021-03-13
Zoho ManageEngine ADManager Plus before 7066 allows XSS.
CVSS Score
6.1
EPSS Score
0.039
Published
2021-03-05
Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
CVSS Score
9.1
EPSS Score
0.016
Published
2021-03-05
Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation.
CVSS Score
9.8
EPSS Score
0.15
Published
2021-03-05
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
CVSS Score
6.1
EPSS Score
0.073
Published
2021-02-19
doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.
CVSS Score
8.8
EPSS Score
0.013
Published
2021-02-05