Shodan
Vulnerabilities
Vulnerable Software
Zohocorp:  Security Vulnerabilities
CVE-2018-7405
Cross-site scripting (XSS) in Zoho ManageEngine EventLog Analyzer before 11.12 Build 11120 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS Score
6.1
EPSS Score
0.005
Published
2018-03-13
CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
CVSS Score
9.8
EPSS Score
0.863
Published
2018-03-08
CVE-2017-16924
Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. This is fixed in build 100157.
CVSS Score
9.8
EPSS Score
0.017
Published
2018-02-19
CVE-2017-17552
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
CVSS Score
8.8
EPSS Score
0.003
Published
2018-02-07
CVE-2014-7862
The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.
CVSS Score
9.8
EPSS Score
0.814
Published
2018-01-04
CVE-2017-17698
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec.
CVSS Score
6.1
EPSS Score
0.019
Published
2017-12-15
CVE-2017-16846
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16847
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16848
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
CVSS Score
9.8
EPSS Score
0.095
Published
2017-11-16
CVE-2017-16849
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16


Products
Pricing
Contact Us

Shodan ® - All rights reserved