Zohocorp: Security Vulnerabilities
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
CVSS Score
7.5
EPSS Score
0.905
Published
2020-05-07
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.
CVSS Score
6.5
EPSS Score
0.043
Published
2020-05-05
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
CVSS Score
7.5
EPSS Score
0.352
Published
2020-04-20
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
CVSS Score
7.5
EPSS Score
0.136
Published
2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
CVSS Score
9.8
EPSS Score
0.096
Published
2020-04-04
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.11
Published
2020-03-30
Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.
CVSS Score
7.2
EPSS Score
0.044
Published
2020-03-23
An issue was discovered in Zoho ManageEngine AssetExplorer 6.5. During an upgrade of the Windows agent, it does not validate the source and binary downloaded. This allows an attacker on an adjacent network to execute code with NT AUTHORITY/SYSTEM privileges on the agent machines by providing an arbitrary executable via a man-in-the-middle attack.
CVSS Score
6.4
EPSS Score
0.002
Published
2020-03-23
ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role.
CVSS Score
6.1
EPSS Score
0.038
Published
2020-03-23
Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover.
CVSS Score
8.8
EPSS Score
0.002
Published
2020-03-19