Zohocorp: Security Vulnerabilities
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
CVSS Score
7.5
EPSS Score
0.024
Published
2019-03-21
CVE-2019-8394
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
Known exploited
CVSS Score
6.5
EPSS Score
0.879
Published
2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVSS Score
9.8
EPSS Score
0.122
Published
2019-02-17
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
CVSS Score
9.8
EPSS Score
0.014
Published
2019-01-03
Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
CVSS Score
10.0
EPSS Score
0.012
Published
2019-01-03
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
CVSS Score
6.1
EPSS Score
0.006
Published
2018-12-26
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
CVSS Score
6.1
EPSS Score
0.006
Published
2018-12-26
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
CVSS Score
9.8
EPSS Score
0.052
Published
2018-12-21
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-12-21
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
CVSS Score
9.8
EPSS Score
0.128
Published
2018-12-17