Zoho Corp ZoHo
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Zoho Corp product.
Products by Zoho Corp Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2024 there have been 44 vulnerabilities in Zoho Corp with an average score of 8.1 out of ten. Last year Zoho Corp had 46 security vulnerabilities published. At the current rates, it appears that the number of vulnerabilities last year and this year may equal out. However, the average CVE base score of the vulnerabilities in 2024 is greater by 1.19.
Year | Vulnerabilities | Average Score |
---|---|---|
2024 | 44 | 8.10 |
2023 | 46 | 6.91 |
2022 | 55 | 7.52 |
2021 | 96 | 8.61 |
2020 | 40 | 7.76 |
2019 | 58 | 7.35 |
2018 | 48 | 7.63 |
It may take a day or so for new Zoho Corp vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Zoho Corp Security Vulnerabilities
ManageEngine Analytics Plus Authenticated Sensitive Data Exposure Vulnerability
CVE-2024-52323
- November 27, 2024
Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.
Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.
CVE-2024-49574
8.8 - High
- November 18, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.
SQL Injection
ManageEngine SharePoint XXE in Management v4503 - November 2024
CVE-2024-10839
8.1 - High
- November 08, 2024
Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.
XXE
ManageEngine ADManager Plus Privilege Escalation - November 2024
CVE-2024-24409
8.8 - High
- November 08, 2024
Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
SQL Injection in ManageEngine Exchange Reporter Plus Reports
CVE-2024-9459
8.8 - High
- November 05, 2024
Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.
SQL Injection
SQL Injection Vulnerability in Zoho ManageEngine ADAudit Plus Technician Reports
CVE-2024-36485
8.8 - High
- November 04, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.
SQL Injection
SQL Injection Vulnerability in Zoho ManageEngine ADManager Plus Archived Audit Report
CVE-2024-48878
8.8 - High
- November 04, 2024
Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.
CVE-2024-5608
8.1 - High
- October 24, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.
SQL Injection
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
CVE-2024-38868
8.3 - High
- August 30, 2024
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability while isolating the devices.This issue affects Endpoint Central: before 11.3.2406.08 and before 11.3.2400.15
AuthZ
Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.
CVE-2024-6204
8.1 - High
- August 30, 2024
Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module.
SQL Injection
Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability
CVE-2024-5546
8.8 - High
- August 28, 2024
Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.
SQL Injection
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.
CVE-2024-38869
5.4 - Medium
- August 23, 2024
Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25.
XSS
An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus
CVE-2024-41150
6.1 - Medium
- August 23, 2024
An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.
XSS
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.
CVE-2024-5467
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in account lockout report.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.
CVE-2024-5490
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.
CVE-2024-5556
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.
CVE-2024-5586
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.
CVE-2024-36514
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard
CVE-2024-36515
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36516), both of which have affected ADAudit Plus' dashboard.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard
CVE-2024-36516
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.
CVE-2024-36517
8.8 - High
- August 23, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.
SQL Injection
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
CVE-2024-5466
8.8 - High
- August 23, 2024
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
Code Injection
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.
CVE-2024-36034
8.8 - High
- August 12, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.
CVE-2024-36035
8.8 - High
- August 12, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.
CVE-2024-5487
8.8 - High
- August 12, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.
SQL Injection
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.
CVE-2024-5527
8.8 - High
- August 12, 2024
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.
SQL Injection
Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.
CVE-2024-5678
4.7 - Medium
- August 01, 2024
Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.
SQL Injection
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.
CVE-2024-38871
8.8 - High
- July 26, 2024
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.
SQL Injection
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.
CVE-2024-38872
8.8 - High
- July 26, 2024
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.
SQL Injection
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which
CVE-2024-27311
8.8 - High
- July 17, 2024
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.
Unrestricted File Upload
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
CVE-2024-5471
9.8 - Critical
- July 17, 2024
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
Use of Hard-coded Credentials
Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability
CVE-2024-27313
4.6 - Medium
- May 29, 2024
Zoho ManageEngine PAM360 is vulnerable to Stored XSS vulnerability. This vulnerability is applicable only in the version 6610.
XSS
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
CVE-2024-27310
6.5 - Medium
- May 27, 2024
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
Zoho ManageEngine ADAudit Plus versions 7260 and below
CVE-2024-36037
5.5 - Medium
- May 27, 2024
Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings.
AuthZ
Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which
CVE-2024-27312
8.1 - High
- May 20, 2024
Zohocorp ManageEngine PAM360 version 6601 is vulnerable to authorization vulnerability which allows a low-privileged user to perform admin actions. Note: This vulnerability affects only the PAM360 6600 version. No other versions are applicable to this vulnerability.
AuthZ
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
CVE-2024-21775
8.8 - High
- February 16, 2024
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
SQL Injection
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
CVE-2024-0253
8.8 - High
- February 02, 2024
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
SQL Injection
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown
CVE-2024-0269
8.8 - High
- February 02, 2024
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
SQL Injection
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
CVE-2023-48792
9.8 - Critical
- February 02, 2024
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
SQL Injection
Zoho ManageEngine ADAudit Plus through 7250
CVE-2023-48793
9.8 - Critical
- February 02, 2024
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
SQL Injection
Zoho ManageEngine ADAudit Plus before 7270
CVE-2023-50785
2.7 - Low
- January 25, 2024
Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.
Directory traversal
Zoho ManageEngine ServiceDesk Plus MSP before 14504
CVE-2023-49943
5.4 - Medium
- January 18, 2024
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
XSS
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component
CVE-2024-0252
8.8 - High
- January 11, 2024
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258
CVE-2023-47211
8.6 - High
- January 08, 2024
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
Directory traversal
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms
CVE-2023-50891
5.4 - Medium
- December 29, 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress Zoho Forms: from n/a through 3.0.1.
XSS
Zoho ManageEngine RecoveryManager Plus before 6070
CVE-2023-48646
7.2 - High
- November 22, 2023
Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed
CVE-2023-6105
5.5 - Medium
- November 15, 2023
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0
CVE-2023-4767
6.1 - Medium
- November 03, 2023
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv.
Injection
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0
CVE-2023-4768
6.1 - Medium
- November 03, 2023
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf.
CRLF Injection
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component
CVE-2023-4769
8.8 - High
- November 03, 2023
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.
SSRF
Zoho ManageEngine ADManager Plus before 7203
CVE-2023-41904
5.4 - Medium
- September 27, 2023
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
authentification
Zoho ManageEngine ADManager Plus before Build 7200
CVE-2023-38743
7.2 - High
- September 11, 2023
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
CVE-2023-35719
6.8 - Medium
- September 06, 2023
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
Insufficient Verification of Data Authenticity
Zoho ManageEngine ADManager Plus before 7203
CVE-2023-39912
4.9 - Medium
- August 31, 2023
Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.
Directory traversal
Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass
CVE-2023-35785
8.1 - High
- August 28, 2023
Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4161 and below, Data Security Plus 6110 and below, Eventlog Analyzer 12301 and below, Exchange Reporter Plus 5709 and below, Log360 5315 and below, Log360 UEBA 4045 and below, M365 Manager Plus 4529 and below, M365 Security Plus 4529 and below, Recovery Manager Plus 6061 and below, ServiceDesk Plus 14204 and below and 143xx 14302 and below, ServiceDesk Plus MSP 14300 and below, SharePoint Manager Plus 4402 and below, and Support Center Plus 14300 and below are vulnerable to 2FA bypass via a few TOTP authenticators. Note: A valid pair of username and password is required to leverage this vulnerability.
authentification
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
CVE-2023-31492
6.5 - Medium
- August 17, 2023
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
Insufficiently Protected Credentials
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001
CVE-2020-27449
6.1 - Medium
- August 11, 2023
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
XSS
Zoho ManageEngine Applications Manager through 16530
CVE-2023-38333
6.1 - Medium
- August 10, 2023
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
XSS
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1
CVE-2023-32783
7.5 - High
- August 07, 2023
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix. NOTE: the vendor states "We do not consider this as a security bug and it's an expected behaviour."
AuthZ
Zoho ManageEngine ADManager Plus through 7201
CVE-2023-38332
6.5 - Medium
- August 04, 2023
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165
CVE-2023-29505
8.8 - High
- August 04, 2023
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.
Origin Validation Error
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
CVE-2023-38331
5.4 - Medium
- July 28, 2023
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
XSS
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module
CVE-2023-34197
5.4 - Medium
- July 07, 2023
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications.
Zoho ManageEngine ADAudit Plus before 7100
CVE-2023-37308
5.4 - Medium
- July 07, 2023
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
XSS
Zoho ManageEngine ADManager Plus before 7183
CVE-2023-35786
4.9 - Medium
- July 05, 2023
Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files.
XXE
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass
CVE-2023-35854
9.8 - Critical
- June 20, 2023
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
Missing Authentication for Critical Function
Zoho ManageEngine OPManager through 126323
CVE-2023-31099
8.8 - High
- May 04, 2023
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
Zoho ManageEngine Applications Manager before 16400
CVE-2023-29442
6.1 - Medium
- April 26, 2023
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
XSS
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server
CVE-2023-29443
4.9 - Medium
- April 26, 2023
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
XXE
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309
CVE-2023-2291
7.8 - High
- April 26, 2023
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
Zoho ManageEngine ADManager Plus before 7181
CVE-2023-29084
7.2 - High
- April 13, 2023
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
Command Injection
Zoho ManageEngine Applications Manager through 16320
CVE-2023-28340
6.5 - Medium
- April 11, 2023
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
XXE
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340
CVE-2023-28341
6.1 - Medium
- April 11, 2023
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
XSS
Zoho ManageEngine ADSelfService Plus before 6218
CVE-2023-28342
7.5 - High
- April 05, 2023
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168
CVE-2022-43473
5.4 - Medium
- March 30, 2023
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
XXE
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack
CVE-2022-36413
9.1 - Critical
- March 23, 2023
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
Improper Restriction of Excessive Authentication Attempts
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000
CVE-2023-26601
7.5 - High
- March 06, 2023
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
Resource Exhaustion
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987
CVE-2023-26600
6.5 - Medium
- March 06, 2023
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2
CVE-2022-48362
8.8 - High
- February 25, 2023
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
Directory traversal
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could
CVE-2023-0169
5.4 - Medium
- February 13, 2023
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
XSS
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9
CVE-2023-23075
6.1 - Medium
- February 01, 2023
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
XSS
OS Command injection vulnerability in Support Center Plus 11
CVE-2023-23076
9.8 - Critical
- February 01, 2023
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.
Shell injection
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13
CVE-2023-23077
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23078
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23073
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
XSS
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14
CVE-2023-23074
6.1 - Medium
- February 01, 2023
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
XSS
Zoho ManageEngine ServiceDesk Plus MSP before 10611
CVE-2023-22964
9.1 - Critical
- January 20, 2023
Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.
authentification
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in
CVE-2022-47966
9.8 - Critical
- January 18, 2023
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
Zoho ManageEngine Exchange Reporter Plus before 5708
CVE-2023-22624
7.5 - High
- January 17, 2023
Zoho ManageEngine Exchange Reporter Plus before 5708 allows attackers to conduct XXE attacks.
XXE
Zoho ManageEngine Access Manager Plus before 4309
CVE-2022-47523
9.8 - Critical
- January 05, 2023
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
SQL Injection
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15
CVE-2022-47577
7.8 - High
- December 20, 2022
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product."
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15
CVE-2022-47578
7.8 - High
- December 20, 2022
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product."
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass
CVE-2022-40772
6.5 - Medium
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack
CVE-2022-40771
4.9 - Medium
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
XXE
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection
CVE-2022-40770
7.2 - High
- November 23, 2022
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
Command Injection
Zoho ManageEngine ADManager Plus through 7151
CVE-2022-42904
7.2 - High
- November 18, 2022
Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings.
Zoho ManageEngine SupportCenter Plus through 11024
CVE-2022-42903
3.3 - Low
- November 17, 2022
Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list.
AuthZ
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation
CVE-2022-40773
8.8 - High
- November 12, 2022
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
Improper Input Validation
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306
CVE-2022-43672
9.8 - Critical
- November 12, 2022
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
SQL Injection
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306
CVE-2022-43671
9.8 - Critical
- November 12, 2022
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
SQL Injection