Zohocorp: Security Vulnerabilities
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
CVSS Score
6.1
EPSS Score
0.017
Published
2018-12-26
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
CVSS Score
9.8
EPSS Score
0.052
Published
2018-12-21
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-12-21
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
CVSS Score
9.8
EPSS Score
0.128
Published
2018-12-17
Zoho ManageEngine ADAudit before 5.1 build 5120 allows remote attackers to cause a denial of service (stack-based buffer overflow) via the 'Domain Name' field when adding a new domain.
CVSS Score
7.5
EPSS Score
0.071
Published
2018-12-13
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-12-06
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
CVSS Score
6.1
EPSS Score
0.005
Published
2018-11-20
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
CVSS Score
6.1
EPSS Score
0.01
Published
2018-11-20
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-11-15
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
CVSS Score
7.5
EPSS Score
0.305
Published
2018-11-06