Zoho Corp Zoho Corp ZoHo

Do you want an email whenever new security vulnerabilities are reported in any Zoho Corp product?

Products by Zoho Corp Sorted by Most Security Vulnerabilities since 2018

Zoho Corp Manageengine Pam36010 vulnerabilities

Zoho Corp Zoho Forms2 vulnerabilities

Zoho Corp Oputils2 vulnerabilities

Zoho Corp Opmanager2 vulnerabilities

Zoho Corp Firewall Analyzer2 vulnerabilities

Zoho Corp Manageengine Ad3602 vulnerabilities

Zoho Corp Log3601 vulnerability

By the Year

In 2024 there have been 8 vulnerabilities in Zoho Corp with an average score of 7.8 out of ten. Last year Zoho Corp had 45 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Zoho Corp in 2024 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2024 is greater by 0.90.

Year Vulnerabilities Average Score
2024 8 7.84
2023 45 6.94
2022 55 7.52
2021 96 8.61
2020 40 7.76
2019 58 7.35
2018 48 7.63

It may take a day or so for new Zoho Corp vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Zoho Corp Security Vulnerabilities

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

CVE-2024-0253 8.8 - High - February 02, 2024

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

SQL Injection

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown

CVE-2024-0269 8.8 - High - February 02, 2024

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.

SQL Injection

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

CVE-2023-48792 9.8 - Critical - February 02, 2024

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

SQL Injection

Zoho ManageEngine ADAudit Plus through 7250

CVE-2023-48793 9.8 - Critical - February 02, 2024

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

SQL Injection

Zoho ManageEngine ADAudit Plus before 7270

CVE-2023-50785 2.7 - Low - January 25, 2024

Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.

Directory traversal

Zoho ManageEngine ServiceDesk Plus MSP before 14504

CVE-2023-49943 5.4 - Medium - January 18, 2024

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

XSS

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component

CVE-2024-0252 8.8 - High - January 11, 2024

ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258

CVE-2023-47211 8.6 - High - January 08, 2024

A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.

Directory traversal

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms

CVE-2023-50891 5.4 - Medium - December 29, 2023

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress Zoho Forms: from n/a through 3.0.1.

XSS

Zoho ManageEngine RecoveryManager Plus before 6070

CVE-2023-48646 7.2 - High - November 22, 2023

Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed

CVE-2023-6105 5.5 - Medium - November 15, 2023

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0

CVE-2023-4767 6.1 - Medium - November 03, 2023

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.

Injection

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0

CVE-2023-4768 6.1 - Medium - November 03, 2023

A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.

CRLF Injection

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component

CVE-2023-4769 8.8 - High - November 03, 2023

A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.

XSPA

Zoho ManageEngine ADManager Plus before 7203

CVE-2023-41904 5.4 - Medium - September 27, 2023

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.

authentification

Zoho ManageEngine ADManager Plus before Build 7200

CVE-2023-38743 7.2 - High - September 11, 2023

Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability

CVE-2023-35719 6.8 - Medium - September 06, 2023

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

Insufficient Verification of Data Authenticity

Zoho ManageEngine ADManager Plus before 7203

CVE-2023-39912 4.9 - Medium - August 31, 2023

Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.

Directory traversal

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass

CVE-2023-35785 9.8 - Critical - August 28, 2023

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.

authentification

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

CVE-2023-31492 6.5 - Medium - August 17, 2023

Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.

Insufficiently Protected Credentials

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001

CVE-2020-27449 6.1 - Medium - August 11, 2023

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

XSS

Zoho ManageEngine Applications Manager through 16530

CVE-2023-38333 6.1 - Medium - August 10, 2023

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

XSS

Zoho ManageEngine ADManager Plus through 7201

CVE-2023-38332 6.5 - Medium - August 04, 2023

Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165

CVE-2023-29505 8.8 - High - August 04, 2023

An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.

Origin Validation Error

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

CVE-2023-38331 5.4 - Medium - July 28, 2023

Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.

XSS

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module

CVE-2023-34197 5.4 - Medium - July 07, 2023

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.

Zoho ManageEngine ADAudit Plus before 7100

CVE-2023-37308 5.4 - Medium - July 07, 2023

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

XSS

Zoho ManageEngine ADManager Plus before 7183

CVE-2023-35786 4.9 - Medium - July 05, 2023

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.

XXE

** DISPUTED ** Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass

CVE-2023-35854 9.8 - Critical - June 20, 2023

** DISPUTED ** Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Missing Authentication for Critical Function

Zoho ManageEngine OPManager through 126323

CVE-2023-31099 8.8 - High - May 04, 2023

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.

Zoho ManageEngine Applications Manager before 16400

CVE-2023-29442 6.1 - Medium - April 26, 2023

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

XSS

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server

CVE-2023-29443 4.9 - Medium - April 26, 2023

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

XXE

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309

CVE-2023-2291 7.8 - High - April 26, 2023

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Zoho ManageEngine ADManager Plus before 7181

CVE-2023-29084 7.2 - High - April 13, 2023

Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.

Command Injection

Zoho ManageEngine Applications Manager through 16320

CVE-2023-28340 6.5 - Medium - April 11, 2023

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

XXE

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340

CVE-2023-28341 6.1 - Medium - April 11, 2023

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

XSS

Zoho ManageEngine ADSelfService Plus before 6218

CVE-2023-28342 7.5 - High - April 05, 2023

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168

CVE-2022-43473 5.4 - Medium - March 30, 2023

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

XXE

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack

CVE-2022-36413 9.1 - Critical - March 23, 2023

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

Improper Restriction of Excessive Authentication Attempts

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000

CVE-2023-26601 7.5 - High - March 06, 2023

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

Resource Exhaustion

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987

CVE-2023-26600 6.5 - Medium - March 06, 2023

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2

CVE-2022-48362 8.8 - High - February 25, 2023

Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)

Directory traversal

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could

CVE-2023-0169 5.4 - Medium - February 13, 2023

The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

XSS

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9

CVE-2023-23075 6.1 - Medium - February 01, 2023

Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.

XSS

OS Command injection vulnerability in Support Center Plus 11

CVE-2023-23076 9.8 - Critical - February 01, 2023

OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.

Shell injection

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13

CVE-2023-23077 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23078 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23073 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

XSS

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14

CVE-2023-23074 6.1 - Medium - February 01, 2023

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

XSS

Zoho ManageEngine ServiceDesk Plus MSP before 10611

CVE-2023-22964 9.1 - Critical - January 20, 2023

Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

authentification

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in

CVE-2022-47966 9.8 - Critical - January 18, 2023

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).

Zoho ManageEngine Exchange Reporter Plus before 5708

CVE-2023-22624 7.5 - High - January 17, 2023

Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.

XXE

Zoho ManageEngine Access Manager Plus before 4309

CVE-2022-47523 9.8 - Critical - January 05, 2023

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

SQL Injection

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47577 7.8 - High - December 20, 2022

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15

CVE-2022-47578 7.8 - High - December 20, 2022

** DISPUTED ** An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack

CVE-2022-40771 4.9 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

XXE

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass

CVE-2022-40772 6.5 - Medium - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection

CVE-2022-40770 7.2 - High - November 23, 2022

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

Command Injection

Zoho ManageEngine ADManager Plus through 7151

CVE-2022-42904 7.2 - High - November 18, 2022

Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.

Zoho ManageEngine SupportCenter Plus through 11024

CVE-2022-42903 3.3 - Low - November 17, 2022

Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.

AuthZ

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation

CVE-2022-40773 8.8 - High - November 12, 2022

Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

Improper Input Validation

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module

CVE-2022-41339 7.8 - High - November 12, 2022

In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43671 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.

SQL Injection

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306

CVE-2022-43672 9.8 - Critical - November 12, 2022

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

SQL Injection

Auth. (subscriber+) Arbitrary Options Update vulnerability i

CVE-2022-41978 6.5 - Medium - November 09, 2022

Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.

Zoho ManageEngine Password Manager Pro through 12120 before 12121

CVE-2022-40300 9.8 - Critical - September 16, 2022

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

SQL Injection

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes

CVE-2022-38772 8.8 - High - August 29, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 125658, 126003, 126105, and 126120 allow authenticated users to make database changes that lead to remote code execution in the NMAP feature.

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5

CVE-2020-21641 7.5 - High - August 15, 2022

Out-of-Band XML External Entity (OOB-XXE) vulnerability in Zoho ManageEngine Analytics Plus before 4.3.5 allows remote attackers to read arbitrary files, enumerate folders and scan internal ports via crafted XML license file.

XXE

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350

CVE-2020-21642 9.8 - Critical - August 15, 2022

Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.

Directory traversal

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118)

CVE-2022-36923 7.5 - High - August 10, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user's API key, and then access external APIs.

Improper Handling of Exceptional Conditions

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes

CVE-2022-37024 8.8 - High - August 10, 2022

Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass

CVE-2022-36412 9.8 - Critical - July 26, 2022

In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)

authentification

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution

CVE-2022-35405 9.8 - Critical - July 19, 2022

Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)

Marshaling, Unmarshaling

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

CVE-2022-35404 8.2 - High - July 18, 2022

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

Improper Input Validation

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability

CVE-2022-35403 7.5 - High - July 12, 2022

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)

Zoho ManageEngine ADSelfService Plus before 6203

CVE-2022-34829 7.5 - High - July 04, 2022

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

Zoho ManageEngine ServiceDesk Plus MSP before 10604

CVE-2022-32551 7.5 - High - July 02, 2022

Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

Directory traversal

ManageEngine AppManager15 (Build No:15510)

CVE-2022-23050 7.2 - High - May 24, 2022

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

DLL preloading

Zoho ManageEngine ADSelfService Plus before 6202

CVE-2022-28987 5.3 - Medium - May 20, 2022

Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Zoho ManageEngine OPManager through 125588

CVE-2022-29535 9.8 - Critical - May 05, 2022

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

SQL Injection

Zoho ManageEngine Access Manager Plus before 4302

CVE-2022-29081 9.8 - Critical - April 28, 2022

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Directory traversal

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131

CVE-2022-29457 8.8 - High - April 18, 2022

Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

Insufficiently Protected Credentials

Zoho ManageEngine ADSelfService Plus before build 6122

CVE-2022-28810 6.8 - Medium - April 18, 2022

Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

Shell injection

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

CVE-2022-27908 8.8 - High - April 18, 2022

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

SQL Injection

Zoho ManageEngine Remote Access Plus before 10.1.2137.15

CVE-2022-26653 5.3 - Medium - April 16, 2022

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).

forced browsing

Zoho ManageEngine Remote Access Plus before 10.1.2137.15

CVE-2022-26777 5.3 - Medium - April 16, 2022

Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.

forced browsing

Zoho ManageEngine ADSelfService Plus before 6121

CVE-2022-24681 6.1 - Medium - April 07, 2022

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

XSS

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products

CVE-2022-24978 8.8 - High - April 05, 2022

Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.

Cleartext Transmission of Sensitive Information

Zoho ManageEngine ServiceDesk Plus before 13001

CVE-2022-25245 5.3 - Medium - April 05, 2022

Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

Missing Authentication for Critical Function

Zoho ManageEngine SupportCenter Plus before 11020

CVE-2022-25373 5.4 - Medium - April 05, 2022

Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history.

XSS

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack

CVE-2022-28219 9.8 - Critical - April 05, 2022

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.

XXE

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone

CVE-2022-23779 5.3 - Medium - March 02, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

Information Disclosure

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak

CVE-2022-24305 9.8 - Critical - March 02, 2022

Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.

Zoho ManageEngine SharePoint Manager Plus before 4329

CVE-2022-24306 9.8 - Critical - March 02, 2022

Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.

AuthZ

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200

CVE-2022-24447 6.5 - Medium - March 02, 2022

An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored SSL certificates and associated key pairs during export.

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6

CVE-2022-24446 4.3 - Medium - March 01, 2022

An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no SSH server or user is associated to the operator.

Zoho ManageEngine Desktop Central before 10.1.2137.10

CVE-2022-23863 6.5 - Medium - January 28, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password.

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306

CVE-2021-46065 4.8 - Medium - January 27, 2022

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

XSS

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9

CVE-2021-44757 9.1 - Critical - January 18, 2022

Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.

Zoho ManageEngine CloudSecurityPlus before Build 4117

CVE-2021-44651 8.8 - High - January 12, 2022

Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.

Unrestricted File Upload

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.