Zoho Corp ZoHo

Have you ever wondered how the world's most successful people seem to have everything under control even though the… https://t.co/KeHHHLWWYV
Mon Mar 27 04:20:00 +0000 2023

RT @ZohoMeeting: We couldn’t ask for a better way to wrap things up! ✨ Mr. @Manothangaraj, the Hon’ble Minister for IT & Digital services…
Sat Mar 25 14:22:12 +0000 2023

Established in 2011,@WaterfieldHQ is India’s leading independent multi-family office and wealth advisory firm. Wat… https://t.co/gC9ErILqKt
Fri Mar 24 04:59:38 +0000 2023

The cornerstone of a service-based business is your website and specifically the 'Services' page. A well-written s… https://t.co/66LvBq944n
Thu Mar 23 11:47:45 +0000 2023

RT @umaginechennai: Mr @svembu , Founder of @Zoho , shared his experience on building a great product, value and the importance of work cul…
Thu Mar 23 11:06:05 +0000 2023

By the Year

In 2023 there have been 14 vulnerabilities in Zoho Corp with an average score of 7.5 out of ten. Last year Zoho Corp had 55 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Zoho Corp in 2023 could surpass last years number. Last year, the average CVE base score was greater by 0.05

Year	Vulnerabilities	Average Score
2023	14	7.48
2022	55	7.52
2021	96	8.61
2020	40	7.76
2019	58	7.35
2018	48	7.63

It may take a day or so for new Zoho Corp vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Zoho Corp Security Vulnerabilities

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000

CVE-2023-26601 7.5 - High - March 06, 2023

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

Resource Exhaustion

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987

CVE-2023-26600 6.5 - Medium - March 06, 2023

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2

CVE-2022-48362 8.8 - High - February 25, 2023

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

Directory traversal

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could

CVE-2023-0169 5.4 - Medium - February 13, 2023

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

XSS

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9

CVE-2023-23075 6.1 - Medium - February 01, 2023

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

XSS

OS Command injection vulnerability in Support Center Plus 11

CVE-2023-23076 9.8 - Critical - February 01, 2023

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Shell injection

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13

CVE-2023-23077 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23078 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23073 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23074 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

XSS

Zoho ManageEngine ServiceDesk Plus MSP before 10611

CVE-2023-22964 9.1 - Critical - January 20, 2023

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

authentification

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in

CVE-2022-47966 9.8 - Critical - January 18, 2023

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.

Zoho ManageEngine Exchange Reporter Plus before 5708

CVE-2023-22624 7.5 - High - January 17, 2023

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

XXE

Zoho ManageEngine Access Manager Plus before 4309

CVE-2022-47523 9.8 - Critical - January 05, 2023

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

SQL Injection

DISPUTED An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47577 7.8 - High - December 20, 2022

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

DISPUTED An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47578 7.8 - High - December 20, 2022

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack

CVE-2022-40771 4.9 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

XXE

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass

CVE-2022-40772 6.5 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

Improper Privilege Management

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection

CVE-2022-40770 7.2 - High - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

Command Injection

Zoho ManageEngine ADManager Plus through 7151

CVE-2022-42904 7.2 - High - November 18, 2022

Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

Zoho ManageEngine SupportCenter Plus through 11024

CVE-2022-42903 3.3 - Low - November 17, 2022

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

AuthZ

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation

CVE-2022-40773 8.8 - High - November 12, 2022

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

AuthZ

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module

CVE-2022-41339 7.8 - High - November 12, 2022

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43671 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

SQL Injection

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43672 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

SQL Injection

Auth. (subscriber+) Arbitrary Options Update vulnerability i

CVE-2022-41978 6.5 - Medium - November 09, 2022

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

Zoho ManageEngine Password Manager Pro through 12120 before 12121

CVE-2022-40300 9.8 - Critical - September 16, 2022

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

SQL Injection

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes

CVE-2022-38772 8.8 - High - August 29, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5

CVE-2020-21641 7.5 - High - August 15, 2022

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.

XXE

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350

CVE-2020-21642 9.8 - Critical - August 15, 2022

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Directory traversal

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118)

CVE-2022-36923 7.5 - High - August 10, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

Improper Handling of Exceptional Conditions

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes

CVE-2022-37024 8.8 - High - August 10, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass

CVE-2022-36412 9.8 - Critical - July 26, 2022

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)

authentification

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution

CVE-2022-35405 9.8 - Critical - July 19, 2022

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

CVE-2022-35404 8.2 - High - July 18, 2022

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

Resource Exhaustion

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability

CVE-2022-35403 7.5 - High - July 12, 2022

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)

Zoho ManageEngine ADSelfService Plus before 6203

CVE-2022-34829 7.5 - High - July 04, 2022

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

Zoho ManageEngine ServiceDesk Plus MSP before 10604

CVE-2022-32551 7.5 - High - July 02, 2022

Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

Directory traversal

ManageEngine AppManager15 (Build No:15510)

CVE-2022-23050 7.2 - High - May 24, 2022

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

Unrestricted File Upload

Zoho ManageEngine ADSelfService Plus before 6202

CVE-2022-28987 5.3 - Medium - May 20, 2022

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Zoho ManageEngine OPManager through 125588

CVE-2022-29535 9.8 - Critical - May 05, 2022

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

SQL Injection

Zoho ManageEngine Access Manager Plus before 4302

CVE-2022-29081 9.8 - Critical - April 28, 2022

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

AuthZ

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131

CVE-2022-29457 8.8 - High - April 18, 2022

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Insufficiently Protected Credentials

Zoho ManageEngine ADSelfService Plus before build 6122

CVE-2022-28810 6.8 - Medium - April 18, 2022

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Shell injection

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

CVE-2022-27908 8.8 - High - April 18, 2022

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

SQL Injection

Zoho ManageEngine Remote Access Plus before 10.1.2137.15

CVE-2022-26653 5.3 - Medium - April 16, 2022

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).

Exposure of Resource to Wrong Sphere

Zoho ManageEngine Remote Access Plus before 10.1.2137.15

CVE-2022-26777 5.3 - Medium - April 16, 2022

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.

Exposure of Resource to Wrong Sphere

Zoho ManageEngine ADSelfService Plus before 6121

CVE-2022-24681 6.1 - Medium - April 07, 2022

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

XSS

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products

CVE-2022-24978 8.8 - High - April 05, 2022

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

Insufficiently Protected Credentials

Zoho ManageEngine ServiceDesk Plus before 13001

CVE-2022-25245 5.3 - Medium - April 05, 2022

Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

Information Disclosure

Zoho ManageEngine SupportCenter Plus before 11020

CVE-2022-25373 5.4 - Medium - April 05, 2022

Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.

XSS

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack

CVE-2022-28219 9.8 - Critical - April 05, 2022

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

XXE

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone

CVE-2022-23779 5.3 - Medium - March 02, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

Information Disclosure

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak

CVE-2022-24305 9.8 - Critical - March 02, 2022

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.

Improper Privilege Management

Zoho ManageEngine SharePoint Manager Plus before 4329

CVE-2022-24306 9.8 - Critical - March 02, 2022

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

AuthZ

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200

CVE-2022-24447 6.5 - Medium - March 02, 2022

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.

Information Disclosure

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6

CVE-2022-24446 4.3 - Medium - March 01, 2022

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.

Exposure of Resource to Wrong Sphere

Zoho ManageEngine Desktop Central before 10.1.2137.10

CVE-2022-23863 6.5 - Medium - January 28, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.

Improper Privilege Management

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306

CVE-2021-46065 4.8 - Medium - January 27, 2022

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

XSS

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9

CVE-2021-44757 9.1 - Critical - January 18, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

Zoho ManageEngine CloudSecurityPlus before Build 4117

CVE-2021-44651 8.8 - High - January 12, 2022

Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.

Unrestricted File Upload

Zoho ManageEngine O365 Manager Plus before Build 4416

CVE-2021-44652 7.8 - High - January 12, 2022

Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.

Zoho ManageEngine M365 Manager Plus before Build 4419

CVE-2021-44650 7.2 - High - January 12, 2022

Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550

CVE-2020-28679 8.8 - High - January 10, 2022

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

SQL Injection

Zoho ManageEngine Desktop Central before 10.0.662

CVE-2021-46164 8.8 - High - January 10, 2022

Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.

Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file

CVE-2021-46165 7.8 - High - January 10, 2022

Zoho ManageEngine Desktop Central before 10.0.662, during startup, launches an executable file from the batch files, but this file's path might not be properly defined.

Zoho ManageEngine Desktop Central before 10.0.662

CVE-2021-46166 6.5 - Medium - January 10, 2022

Zoho ManageEngine Desktop Central before 10.0.662 allows authenticated users to obtain sensitive information from the database by visiting the Reports page.

Information Disclosure

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name

CVE-2021-20148 4.3 - Medium - January 03, 2022

ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain.

Information Disclosure

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI

CVE-2021-20147 5.3 - Medium - January 03, 2022

ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.

Side Channel Attack

Zoho ManageEngine ServiceDesk Plus before 12003

CVE-2021-44526 9.8 - Critical - December 23, 2021

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

Zoho ManageEngine PAM360 before build 5303

CVE-2021-44525 9.8 - Critical - December 20, 2021

Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.

Exposure of Resource to Wrong Sphere

Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g

CVE-2021-44676 9.8 - Critical - December 20, 2021

Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.

Exposure of Resource to Wrong Sphere

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in

CVE-2021-44675 9.8 - Critical - December 20, 2021

Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

authentification

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass

CVE-2021-44515 9.8 - Critical - December 12, 2021

Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

CVE-2021-44514 9.8 - Critical - December 09, 2021

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

authentification

Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

CVE-2021-43319 9.8 - Critical - November 30, 2021

Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.

Command Injection

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

CVE-2021-43296 7.5 - High - November 30, 2021

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor.

XSPA

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.

CVE-2021-43295 6.1 - Medium - November 30, 2021

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module.

XSS

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.

CVE-2021-43294 6.1 - Medium - November 30, 2021

Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module.

XSS

Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

CVE-2021-42099 9.8 - Critical - November 30, 2021

Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.

Unrestricted File Upload

Zoho ManageEngine ServiceDesk Plus before 11306

CVE-2021-44077 9.8 - Critical - November 29, 2021

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a hardware details search.

CVE-2021-41080 9.8 - Critical - November 11, 2021

Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a hardware details search.

SQL Injection

Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a configuration search.

CVE-2021-41081 9.8 - Critical - November 11, 2021

Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a configuration search.

SQL Injection

Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

CVE-2021-41833 9.8 - Critical - November 11, 2021

Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

Unrestricted File Upload

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass

CVE-2021-42002 9.8 - Critical - November 11, 2021

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

Zoho ManageEngine ADAudit Plus before 7006

CVE-2021-42847 9.8 - Critical - November 11, 2021

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550

CVE-2020-24743 9.8 - Critical - November 03, 2021

An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite

CVE-2021-20136 9.8 - Critical - November 01, 2021

ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup.

Missing Authentication for Critical Function

An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

CVE-2021-35512 6.5 - Medium - October 21, 2021

An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

XSPA

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module

CVE-2021-40493 9.8 - Critical - October 13, 2021

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.

SQL Injection

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

CVE-2021-41075 9.8 - Critical - October 13, 2021

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

SQL Injection

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

CVE-2021-20130 8.8 - High - October 13, 2021

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the PasswordExpiry interface.

Unrestricted File Upload

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

CVE-2021-20131 8.8 - High - October 13, 2021

ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.

Unrestricted File Upload