Filtered by vendor Zohocorp
Subscribe
Total
511 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5586 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option. | |||||
| CVE-2024-5490 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option. | |||||
| CVE-2024-5556 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module. | |||||
| CVE-2024-5467 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report. | |||||
| CVE-2024-41150 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2024-08-27 | N/A | 6.1 MEDIUM |
| An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800. | |||||
| CVE-2024-36517 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module. | |||||
| CVE-2024-36515 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard. | |||||
| CVE-2024-36516 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard. | |||||
| CVE-2024-36514 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-27 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option. | |||||
| CVE-2024-5527 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-16 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration. | |||||
| CVE-2024-36035 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-16 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording. | |||||
| CVE-2024-5487 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-16 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option. | |||||
| CVE-2024-36034 | 1 Zohocorp | 1 Manageengine Adaudit Plus | 2024-08-16 | N/A | 8.8 HIGH |
| Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option. | |||||
| CVE-2024-5678 | 1 Zohocorp | 1 Manageengine Applications Manager | 2024-08-15 | N/A | 4.7 MEDIUM |
| Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature. | |||||
| CVE-2019-15045 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2024-08-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality | |||||
| CVE-2020-9347 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2024-08-04 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products | |||||
| CVE-2021-33256 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.3 HIGH | 8.8 HIGH |
| A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. | |||||
| CVE-2022-47578 | 1 Zohocorp | 1 Manageengine Device Control Plus | 2024-08-03 | N/A | 7.8 HIGH |
| An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product." | |||||
| CVE-2022-47577 | 1 Zohocorp | 1 Manageengine Device Control Plus | 2024-08-03 | N/A | 7.8 HIGH |
| An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product." | |||||
| CVE-2023-35854 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-02 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." | |||||