Zohocorp: Security Vulnerabilities
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
CVSS Score
6.5
EPSS Score
0.005
Published
2020-05-18
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
CVSS Score
6.1
EPSS Score
0.019
Published
2020-05-14
The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. This allows an authenticated attacker to execute code in the context of the product by writing a JSP file to the webroot directory via directory traversal.
CVSS Score
8.8
EPSS Score
0.082
Published
2020-05-08
Zoho ManageEngine DataSecurity Plus prior to 6.0.1 uses default admin credentials to communicate with a DataEngine Xnode server. This allows an attacker to bypass authentication for this server and execute all operations in the context of admin user.
CVSS Score
9.8
EPSS Score
0.891
Published
2020-05-08
Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.
CVSS Score
7.5
EPSS Score
0.917
Published
2020-05-07
Zoho ManageEngine Desktop Central before 10.0.484 allows authenticated arbitrary file writes during ZIP archive extraction via Directory Traversal in a crafted AppDependency API request.
CVSS Score
6.5
EPSS Score
0.043
Published
2020-05-05
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
CVSS Score
7.5
EPSS Score
0.67
Published
2020-04-20
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
CVSS Score
7.5
EPSS Score
0.136
Published
2020-04-04
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
CVSS Score
9.8
EPSS Score
0.104
Published
2020-04-04
Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure.
CVSS Score
7.5
EPSS Score
0.12
Published
2020-03-30