Zoho Corp ZoHo
Products by Zoho Corp Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 8 vulnerabilities in Zoho Corp with an average score of 7.8 out of ten. Last year Zoho Corp had 45 security vulnerabilities published. Right now, Zoho Corp is on track to have less security vulnerabilities in 2024 than it did last year. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.94.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2024 | 8 | 7.84 |
| 2023 | 45 | 6.90 |
| 2022 | 55 | 7.52 |
| 2021 | 96 | 8.61 |
| 2020 | 40 | 7.76 |
| 2019 | 58 | 7.35 |
| 2018 | 48 | 7.63 |
It may take a day or so for new Zoho Corp vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Zoho Corp Security Vulnerabilities
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
CVE-2024-0253
8.8 - High
- February 02, 2024
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
SQL Injection
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown
CVE-2024-0269
8.8 - High
- February 02, 2024
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
SQL Injection
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
CVE-2023-48792
9.8 - Critical
- February 02, 2024
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
SQL Injection
Zoho ManageEngine ADAudit Plus through 7250
CVE-2023-48793
9.8 - Critical
- February 02, 2024
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
SQL Injection
Zoho ManageEngine ADAudit Plus before 7270
CVE-2023-50785
2.7 - Low
- January 25, 2024
Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.
Directory traversal
Zoho ManageEngine ServiceDesk Plus MSP before 14504
CVE-2023-49943
5.4 - Medium
- January 18, 2024
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
XSS
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component
CVE-2024-0252
8.8 - High
- January 11, 2024
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258
CVE-2023-47211
8.6 - High
- January 08, 2024
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
Directory traversal
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms
CVE-2023-50891
5.4 - Medium
- December 29, 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress Zoho Forms: from n/a through 3.0.1.
XSS
Zoho ManageEngine RecoveryManager Plus before 6070
CVE-2023-48646
7.2 - High
- November 22, 2023
Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed
CVE-2023-6105
5.5 - Medium
- November 15, 2023
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0
CVE-2023-4767
6.1 - Medium
- November 03, 2023
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.
Injection
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0
CVE-2023-4768
6.1 - Medium
- November 03, 2023
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.
CRLF Injection
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component
CVE-2023-4769
8.8 - High
- November 03, 2023
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.
XSPA
Zoho ManageEngine ADManager Plus before 7203
CVE-2023-41904
5.4 - Medium
- September 27, 2023
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
authentification
Zoho ManageEngine ADManager Plus before Build 7200
CVE-2023-38743
7.2 - High
- September 11, 2023
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
CVE-2023-35719
6.8 - Medium
- September 06, 2023
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
Insufficient Verification of Data Authenticity
Zoho ManageEngine ADManager Plus before 7203
CVE-2023-39912
4.9 - Medium
- August 31, 2023
Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.
Directory traversal
Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass
CVE-2023-35785
8.1 - High
- August 28, 2023
Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.
authentification
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
CVE-2023-31492
6.5 - Medium
- August 17, 2023
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
Insufficiently Protected Credentials
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001
CVE-2020-27449
6.1 - Medium
- August 11, 2023
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
XSS
Zoho ManageEngine Applications Manager through 16530
CVE-2023-38333
6.1 - Medium
- August 10, 2023
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
XSS
Zoho ManageEngine ADManager Plus through 7201
CVE-2023-38332
6.5 - Medium
- August 04, 2023
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165
CVE-2023-29505
8.8 - High
- August 04, 2023
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.
Origin Validation Error
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
CVE-2023-38331
5.4 - Medium
- July 28, 2023
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
XSS
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module
CVE-2023-34197
5.4 - Medium
- July 07, 2023
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.
Zoho ManageEngine ADAudit Plus before 7100
CVE-2023-37308
5.4 - Medium
- July 07, 2023
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
XSS
Zoho ManageEngine ADManager Plus before 7183
CVE-2023-35786
4.9 - Medium
- July 05, 2023
Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.
XXE
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass
CVE-2023-35854
9.8 - Critical
- June 20, 2023
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
Missing Authentication for Critical Function
Zoho ManageEngine OPManager through 126323
CVE-2023-31099
8.8 - High
- May 04, 2023
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
Zoho ManageEngine Applications Manager before 16400
CVE-2023-29442
6.1 - Medium
- April 26, 2023
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
XSS
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server
CVE-2023-29443
4.9 - Medium
- April 26, 2023
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
XXE
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309
CVE-2023-2291
7.8 - High
- April 26, 2023
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
Zoho ManageEngine ADManager Plus before 7181
CVE-2023-29084
7.2 - High
- April 13, 2023
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
Command Injection
Zoho ManageEngine Applications Manager through 16320
CVE-2023-28340
6.5 - Medium
- April 11, 2023
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
XXE
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340
CVE-2023-28341
6.1 - Medium
- April 11, 2023
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
XSS
Zoho ManageEngine ADSelfService Plus before 6218
CVE-2023-28342
7.5 - High
- April 05, 2023
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168
CVE-2022-43473
5.4 - Medium
- March 30, 2023
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
XXE
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack
CVE-2022-36413
9.1 - Critical
- March 23, 2023
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
Improper Restriction of Excessive Authentication Attempts
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000
CVE-2023-26601
7.5 - High
- March 06, 2023
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
Resource Exhaustion
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987
CVE-2023-26600
6.5 - Medium
- March 06, 2023
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2
CVE-2022-48362
8.8 - High
- February 25, 2023
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
Directory traversal
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could
CVE-2023-0169
5.4 - Medium
- February 13, 2023
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
XSS
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9
CVE-2023-23075
6.1 - Medium
- February 01, 2023
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
XSS
OS Command injection vulnerability in Support Center Plus 11
CVE-2023-23076
9.8 - Critical
- February 01, 2023
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.
Shell injection
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13
CVE-2023-23077
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23078
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23073
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23074
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
XSS
Zoho ManageEngine ServiceDesk Plus MSP before 10611
CVE-2023-22964
9.1 - Critical
- January 20, 2023
Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.
authentification
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in
CVE-2022-47966
9.8 - Critical
- January 18, 2023
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
Zoho ManageEngine Exchange Reporter Plus before 5708
CVE-2023-22624
7.5 - High
- January 17, 2023
Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.
XXE
Zoho ManageEngine Access Manager Plus before 4309
CVE-2022-47523
9.8 - Critical
- January 05, 2023
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
SQL Injection
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15
CVE-2022-47577
7.8 - High
- December 20, 2022
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15
CVE-2022-47578
7.8 - High
- December 20, 2022
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack
CVE-2022-40771
4.9 - Medium
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
XXE
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass
CVE-2022-40772
6.5 - Medium
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection
CVE-2022-40770
7.2 - High
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
Command Injection
Zoho ManageEngine ADManager Plus through 7151
CVE-2022-42904
7.2 - High
- November 18, 2022
Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.
Zoho ManageEngine SupportCenter Plus through 11024
CVE-2022-42903
3.3 - Low
- November 17, 2022
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
AuthZ
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation
CVE-2022-40773
8.8 - High
- November 12, 2022
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
Improper Input Validation
In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module
CVE-2022-41339
7.8 - High
- November 12, 2022
In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306
CVE-2022-43671
9.8 - Critical
- November 12, 2022
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
SQL Injection
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306
CVE-2022-43672
9.8 - Critical
- November 12, 2022
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
SQL Injection
Auth. (subscriber+) Arbitrary Options Update vulnerability i
CVE-2022-41978
6.5 - Medium
- November 09, 2022
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
Zoho ManageEngine Password Manager Pro through 12120 before 12121
CVE-2022-40300
9.8 - Critical
- September 16, 2022
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
SQL Injection
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes
CVE-2022-38772
8.8 - High
- August 29, 2022
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.
Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5
CVE-2020-21641
7.5 - High
- August 15, 2022
Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.
XXE
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350
CVE-2020-21642
9.8 - Critical
- August 15, 2022
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Directory traversal
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118)
CVE-2022-36923
7.5 - High
- August 10, 2022
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.
Improper Handling of Exceptional Conditions
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes
CVE-2022-37024
8.8 - High
- August 10, 2022
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.
In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass
CVE-2022-36412
9.8 - Critical
- July 26, 2022
In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)
authentification
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution
CVE-2022-35405
9.8 - Critical
- July 19, 2022
Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
Marshaling, Unmarshaling
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.
CVE-2022-35404
8.2 - High
- July 18, 2022
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.
Improper Input Validation
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability
CVE-2022-35403
7.5 - High
- July 12, 2022
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)
Zoho ManageEngine ADSelfService Plus before 6203
CVE-2022-34829
7.5 - High
- July 04, 2022
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
Zoho ManageEngine ServiceDesk Plus MSP before 10604
CVE-2022-32551
7.5 - High
- July 02, 2022
Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).
Directory traversal
ManageEngine AppManager15 (Build No:15510)
CVE-2022-23050
7.2 - High
- May 24, 2022
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
DLL preloading
Zoho ManageEngine ADSelfService Plus before 6202
CVE-2022-28987
5.3 - Medium
- May 20, 2022
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Zoho ManageEngine OPManager through 125588
CVE-2022-29535
9.8 - Critical
- May 05, 2022
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
SQL Injection
Zoho ManageEngine Access Manager Plus before 4302
CVE-2022-29081
9.8 - Critical
- April 28, 2022
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
Directory traversal
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131
CVE-2022-29457
8.8 - High
- April 18, 2022
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
Insufficiently Protected Credentials
Zoho ManageEngine ADSelfService Plus before build 6122
CVE-2022-28810
6.8 - Medium
- April 18, 2022
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.
Shell injection
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
CVE-2022-27908
8.8 - High
- April 18, 2022
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
SQL Injection
Zoho ManageEngine Remote Access Plus before 10.1.2137.15
CVE-2022-26653
5.3 - Medium
- April 16, 2022
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
forced browsing
Zoho ManageEngine Remote Access Plus before 10.1.2137.15
CVE-2022-26777
5.3 - Medium
- April 16, 2022
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
forced browsing
Zoho ManageEngine ADSelfService Plus before 6121
CVE-2022-24681
6.1 - Medium
- April 07, 2022
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
XSS
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products
CVE-2022-24978
8.8 - High
- April 05, 2022
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.
Cleartext Transmission of Sensitive Information
Zoho ManageEngine ServiceDesk Plus before 13001
CVE-2022-25245
5.3 - Medium
- April 05, 2022
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
Missing Authentication for Critical Function
Zoho ManageEngine SupportCenter Plus before 11020
CVE-2022-25373
5.4 - Medium
- April 05, 2022
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.
XSS
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack
CVE-2022-28219
9.8 - Critical
- April 05, 2022
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
XXE
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone
CVE-2022-23779
5.3 - Medium
- March 02, 2022
Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
Information Disclosure
Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak
CVE-2022-24305
9.8 - Critical
- March 02, 2022
Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.
Zoho ManageEngine SharePoint Manager Plus before 4329
CVE-2022-24306
9.8 - Critical
- March 02, 2022
Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
AuthZ
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200
CVE-2022-24447
6.5 - Medium
- March 02, 2022
An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6
CVE-2022-24446
4.3 - Medium
- March 01, 2022
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.
Zoho ManageEngine Desktop Central before 10.1.2137.10
CVE-2022-23863
6.5 - Medium
- January 28, 2022
Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306
CVE-2021-46065
4.8 - Medium
- January 27, 2022
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
XSS
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9
CVE-2021-44757
9.1 - Critical
- January 18, 2022
Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
Zoho ManageEngine CloudSecurityPlus before Build 4117
CVE-2021-44651
8.8 - High
- January 12, 2022
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
Unrestricted File Upload