Zoho Corp ZoHo

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 

CVE-2024-50053 5.4 - Medium - March 21, 2025

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.

XSS

ManageEngine Analytics Plus Authenticated Sensitive Data Exposure Vulnerability

CVE-2024-52323 - November 27, 2024

Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.

CVE-2024-49574 8.8 - High - November 18, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.

SQL Injection

ManageEngine SharePoint XXE in Management v4503 - November 2024

CVE-2024-10839 8.1 - High - November 08, 2024

Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.

XXE

ManageEngine ADManager Plus Privilege Escalation - November 2024

CVE-2024-24409 8.8 - High - November 08, 2024

Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.

SQL Injection in ManageEngine Exchange Reporter Plus Reports

CVE-2024-9459 8.8 - High - November 05, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.

SQL Injection

SQL Injection Vulnerability in Zoho ManageEngine ADAudit Plus Technician Reports

CVE-2024-36485 8.8 - High - November 04, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.

SQL Injection

SQL Injection Vulnerability in Zoho ManageEngine ADManager Plus Archived Audit Report

CVE-2024-48878 8.8 - High - November 04, 2024

Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.

CVE-2024-5608 8.1 - High - October 24, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.

SQL Injection

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15

CVE-2024-38868 8.3 - High - August 30, 2024

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15

AuthZ

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.

CVE-2024-6204 8.1 - High - August 30, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.

SQL Injection

Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability

CVE-2024-5546 8.8 - High - August 28, 2024

Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.

SQL Injection

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.

CVE-2024-38869 5.4 - Medium - August 23, 2024

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.

XSS

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus

CVE-2024-41150 6.1 - Medium - August 23, 2024

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.

XSS

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.

CVE-2024-5467 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.

CVE-2024-5490 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.

CVE-2024-5556 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.

CVE-2024-5586 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.

CVE-2024-36514 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard

CVE-2024-36515 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard

CVE-2024-36516 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.

CVE-2024-36517 8.8 - High - August 23, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.

SQL Injection

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.

CVE-2024-5466 8.8 - High - August 23, 2024

Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.

Code Injection

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.

CVE-2024-36034 8.8 - High - August 12, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.

CVE-2024-36035 8.8 - High - August 12, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.

CVE-2024-5487 8.8 - High - August 12, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.

SQL Injection

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.

CVE-2024-5527 8.8 - High - August 12, 2024

Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.

SQL Injection

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.

CVE-2024-5678 4.7 - Medium - August 01, 2024

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.

SQL Injection

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.

CVE-2024-38871 8.8 - High - July 26, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.

SQL Injection

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

CVE-2024-38872 8.8 - High - July 26, 2024

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

SQL Injection

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which

CVE-2024-27311 8.8 - High - July 17, 2024

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.

Unrestricted File Upload

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.

CVE-2024-5471 9.8 - Critical - July 17, 2024

Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.

Use of Hard-coded Credentials

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability

CVE-2024-27313 4.6 - Medium - May 29, 2024

Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.

XSS

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

CVE-2024-27310 6.5 - Medium - May 27, 2024

Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

Zoho ManageEngine ADAudit Plus versions 7260 and below

CVE-2024-36037 5.5 - Medium - May 27, 2024

Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.

AuthZ

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which

CVE-2024-27312 8.1 - High - May 20, 2024

Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.

AuthZ

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

CVE-2024-21775 8.8 - High - February 16, 2024

Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.

SQL Injection

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

CVE-2024-0253 8.8 - High - February 02, 2024

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

SQL Injection

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown

CVE-2024-0269 8.8 - High - February 02, 2024

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.

SQL Injection

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

CVE-2023-48792 9.8 - Critical - February 02, 2024

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

SQL Injection

Zoho ManageEngine ADAudit Plus through 7250

CVE-2023-48793 9.8 - Critical - February 02, 2024

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

SQL Injection

Zoho ManageEngine ADAudit Plus before 7270

CVE-2023-50785 2.7 - Low - January 25, 2024

Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.

Directory traversal

Zoho ManageEngine ServiceDesk Plus MSP before 14504

CVE-2023-49943 5.4 - Medium - January 18, 2024

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

XSS

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component

CVE-2024-0252 8.8 - High - January 11, 2024

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258

CVE-2023-47211 8.6 - High - January 08, 2024

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

Directory traversal

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms

CVE-2023-50891 5.4 - Medium - December 29, 2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress Zoho Forms: from n/a through 3.0.1.

XSS

Zoho ManageEngine RecoveryManager Plus before 6070

CVE-2023-48646 7.2 - High - November 22, 2023

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed

CVE-2023-6105 5.5 - Medium - November 15, 2023

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0

CVE-2023-4767 6.1 - Medium - November 03, 2023

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

Injection

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0

CVE-2023-4768 6.1 - Medium - November 03, 2023

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

CRLF Injection

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component

CVE-2023-4769 8.8 - High - November 03, 2023

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.

SSRF

Zoho ManageEngine ADManager Plus before 7203

CVE-2023-41904 5.4 - Medium - September 27, 2023

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.

authentification

Zoho ManageEngine ADManager Plus before Build 7200

CVE-2023-38743 7.2 - High - September 11, 2023

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability

CVE-2023-35719 6.8 - Medium - September 06, 2023

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

Insufficient Verification of Data Authenticity

Zoho ManageEngine ADManager Plus before 7203

CVE-2023-39912 4.9 - Medium - August 31, 2023

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.

Directory traversal

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass

CVE-2023-35785 8.1 - High - August 28, 2023

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

authentification

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

CVE-2023-31492 6.5 - Medium - August 17, 2023

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

Insufficiently Protected Credentials

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001

CVE-2020-27449 6.1 - Medium - August 11, 2023

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

XSS

Zoho ManageEngine Applications Manager through 16530

CVE-2023-38333 6.1 - Medium - August 10, 2023

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

XSS

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1

CVE-2023-32783 7.5 - High - August 07, 2023

The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."

AuthZ

Zoho ManageEngine ADManager Plus through 7201

CVE-2023-38332 6.5 - Medium - August 04, 2023

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165

CVE-2023-29505 8.8 - High - August 04, 2023

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.

Origin Validation Error

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

CVE-2023-38331 5.4 - Medium - July 28, 2023

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

XSS

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module

CVE-2023-34197 5.4 - Medium - July 07, 2023

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.

Zoho ManageEngine ADAudit Plus before 7100

CVE-2023-37308 5.4 - Medium - July 07, 2023

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

XSS

Zoho ManageEngine ADManager Plus before 7183

CVE-2023-35786 4.9 - Medium - July 05, 2023

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

XXE

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass

CVE-2023-35854 9.8 - Critical - June 20, 2023

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Missing Authentication for Critical Function

Zoho ManageEngine OPManager through 126323

CVE-2023-31099 8.8 - High - May 04, 2023

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.

Zoho ManageEngine Applications Manager before 16400

CVE-2023-29442 6.1 - Medium - April 26, 2023

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

XSS

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server

CVE-2023-29443 4.9 - Medium - April 26, 2023

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

XXE

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309

CVE-2023-2291 7.8 - High - April 26, 2023

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Zoho ManageEngine ADManager Plus before 7181

CVE-2023-29084 7.2 - High - April 13, 2023

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

Command Injection

Zoho ManageEngine Applications Manager through 16320

CVE-2023-28340 6.5 - Medium - April 11, 2023

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

XXE

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340

CVE-2023-28341 6.1 - Medium - April 11, 2023

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

XSS

Zoho ManageEngine ADSelfService Plus before 6218

CVE-2023-28342 7.5 - High - April 05, 2023

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168

CVE-2022-43473 5.4 - Medium - March 30, 2023

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

XXE

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack

CVE-2022-36413 9.1 - Critical - March 23, 2023

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

Improper Restriction of Excessive Authentication Attempts

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000

CVE-2023-26601 7.5 - High - March 06, 2023

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

Resource Exhaustion

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987

CVE-2023-26600 6.5 - Medium - March 06, 2023

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2

CVE-2022-48362 8.8 - High - February 25, 2023

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

Directory traversal

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could

CVE-2023-0169 5.4 - Medium - February 13, 2023

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

XSS

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9

CVE-2023-23075 6.1 - Medium - February 01, 2023

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

XSS

OS Command injection vulnerability in Support Center Plus 11

CVE-2023-23076 9.8 - Critical - February 01, 2023

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Shell injection

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13

CVE-2023-23077 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23078 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23073 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23074 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

XSS

Zoho ManageEngine ServiceDesk Plus MSP before 10611

CVE-2023-22964 9.1 - Critical - January 20, 2023

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

authentification

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in

CVE-2022-47966 9.8 - Critical - January 18, 2023

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Zoho ManageEngine Exchange Reporter Plus before 5708

CVE-2023-22624 7.5 - High - January 17, 2023

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

XXE

Zoho ManageEngine Access Manager Plus before 4309

CVE-2022-47523 9.8 - Critical - January 05, 2023

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

SQL Injection

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47577 7.8 - High - December 20, 2022

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47578 7.8 - High - December 20, 2022

An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack

CVE-2022-40771 4.9 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

XXE

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass

CVE-2022-40772 6.5 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection

CVE-2022-40770 7.2 - High - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

Command Injection

Zoho ManageEngine ADManager Plus through 7151

CVE-2022-42904 7.2 - High - November 18, 2022

Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

Zoho ManageEngine SupportCenter Plus through 11024

CVE-2022-42903 3.3 - Low - November 17, 2022

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

AuthZ

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43672 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

SQL Injection

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43671 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

SQL Injection