Filtered by vendor Zohocorp
Subscribe
Total
511 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | |||||
| CVE-2021-20136 | 1 Zohocorp | 1 Manageengine Log360 | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup. | |||||
| CVE-2021-28958 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | |||||
| CVE-2021-41829 | 1 Zohocorp | 1 Manageengine Remote Access Plus | 2022-07-12 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine Remote Access Plus before 10.1.2121.1 relies on the application's build number to calculate a certain encryption key. | |||||
| CVE-2021-37424 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| ManageEngine ADSelfService Plus before 6112 is vulnerable to domain user account takeover. | |||||
| CVE-2021-44757 | 1 Zohocorp | 2 Manageengine Desktop Central, Manageengine Desktop Central Managed Service Providers | 2022-07-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. | |||||
| CVE-2021-37420 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-07-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | |||||
| CVE-2022-28987 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | |||||
| CVE-2021-20109 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2022-06-28 | 5.0 MEDIUM | 7.5 HIGH |
| Due to the Asset Explorer agent not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In AEAgent.cpp, the agent responding back over HTTP is vulnerable to a Heap Overflow if the POST payload response is too large. The POST payload response is converted to Unicode using vswprintf. This is written to a buffer only 0x2000 bytes big. If POST payload is larger, then heap overflow will occur. | |||||
| CVE-2021-20110 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2022-06-28 | 10.0 HIGH | 9.8 CRITICAL |
| Due to Manage Engine Asset Explorer Agent 1.0.34 not validating HTTPS certificates, an attacker on the network can statically configure their IP address to match the Asset Explorer's Server IP address. This will allow an attacker to send a NEWSCAN request to a listening agent on the network as well as receive the agent's HTTP request verifying its authtoken. In httphandler.cpp, the agent reaching out over HTTP is vulnerable to an Integer Overflow, which can be turned into a Heap Overflow allowing for remote code execution as NT AUTHORITY/SYSTEM on the agent machine. The Integer Overflow occurs when receiving POST response from the Manage Engine server, and the agent calling "HttpQueryInfoW" in order to get the "Content-Length" size from the incoming POST request. This size is taken, but multiplied to a larger amount. If an attacker specifies a Content-Length size of 1073741823 or larger, this integer arithmetic will wrap the value back around to smaller integer, then calls "calloc" with this size to allocate memory. The following API "InternetReadFile" will copy the POST data into this buffer, which will be too small for the contents, and cause heap overflow. | |||||
| CVE-2022-29535 | 1 Zohocorp | 1 Manageengine Opmanager | 2022-05-17 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. | |||||
| CVE-2021-33911 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2022-05-03 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. | |||||
| CVE-2020-15588 | 1 Zohocorp | 1 Manageengine Desktop Central | 2022-04-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication. | |||||
| CVE-2021-43296 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. | |||||
| CVE-2021-43294 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. | |||||
| CVE-2021-43295 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2022-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. | |||||
| CVE-2022-27908 | 1 Zohocorp | 1 Manageengine Opmanager | 2022-04-26 | 6.5 MEDIUM | 8.8 HIGH |
| Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. | |||||
| CVE-2021-3287 | 1 Zohocorp | 1 Manageengine Opmanager | 2022-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. | |||||
| CVE-2019-15046 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2022-04-18 | 5.0 MEDIUM | 7.5 HIGH |
| Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | |||||
| CVE-2020-28653 | 1 Zohocorp | 1 Manageengine Opmanager | 2022-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. | |||||