Shodan
Vulnerabilities
Vulnerable Software
Zohocorp:  >> Manageengine Applications Manager  Security Vulnerabilities
CVE-2018-13050
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.
CVSS Score
9.8
EPSS Score
0.007
Published
2018-07-02
CVE-2018-12996
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
CVSS Score
6.1
EPSS Score
0.015
Published
2018-06-29
CVE-2018-11808
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
CVSS Score
9.1
EPSS Score
0.047
Published
2018-06-06
CVE-2018-7890
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
CVSS Score
9.8
EPSS Score
0.876
Published
2018-03-08
CVE-2017-16846
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16847
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16848
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
CVSS Score
9.8
EPSS Score
0.095
Published
2017-11-16
CVE-2017-16849
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16850
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16
CVE-2017-16851
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.
CVSS Score
9.8
EPSS Score
0.123
Published
2017-11-16


Products
Pricing
Contact Us

Shodan ® - All rights reserved