Shodan
Vulnerabilities
Vulnerable Software
Zohocorp:  Security Vulnerabilities
CVE-2018-19288
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-11-15
CVE-2018-18980
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
CVSS Score
7.5
EPSS Score
0.305
Published
2018-11-06
CVE-2018-18949
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
CVSS Score
9.8
EPSS Score
0.128
Published
2018-11-05
CVE-2018-18475
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
CVSS Score
9.8
EPSS Score
0.047
Published
2018-10-23
CVE-2018-18262
Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.
CVSS Score
6.1
EPSS Score
0.012
Published
2018-10-17
CVE-2018-17596
In Zoho ManageEngine AssetExplorer, a Stored XSS vulnerability was discovered in the 6.2.0 version via the /AssetDef.do ciName or assetName parameter.
CVSS Score
6.1
EPSS Score
0.02
Published
2018-10-02
CVE-2018-16364
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.
CVSS Score
8.1
EPSS Score
0.022
Published
2018-09-26
CVE-2018-16833
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
CVSS Score
6.1
EPSS Score
0.027
Published
2018-09-21
CVE-2018-16965
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.
CVSS Score
6.1
EPSS Score
0.013
Published
2018-09-21
CVE-2018-17283
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
CVSS Score
7.5
EPSS Score
0.279
Published
2018-09-21


Products
Pricing
Contact Us

Shodan ® - All rights reserved