Latest Zohocorp Vulnerabilities

CVE-2024-0269
SQL Injection
Zohocorp Manageengine Adaudit Plus<7.2
Zohocorp Manageengine Adaudit Plus=7.2-7200
Zohocorp Manageengine Adaudit Plus=7.2-7201
Zohocorp Manageengine Adaudit Plus=7.2-7202
Zohocorp Manageengine Adaudit Plus=7.2-7203
Zohocorp Manageengine Adaudit Plus=7.2-7210
and 9 more
CVE-2024-0253
SQL Injection
Zohocorp Manageengine Adaudit Plus<7.2
Zohocorp Manageengine Adaudit Plus=7.2-7200
Zohocorp Manageengine Adaudit Plus=7.2-7201
Zohocorp Manageengine Adaudit Plus=7.2-7202
Zohocorp Manageengine Adaudit Plus=7.2-7203
Zohocorp Manageengine Adaudit Plus=7.2-7210
and 9 more
CVE-2023-48792
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
Zohocorp Manageengine Adaudit Plus<7.2
Zohocorp Manageengine Adaudit Plus=7.2-7200
Zohocorp Manageengine Adaudit Plus=7.2-7201
Zohocorp Manageengine Adaudit Plus=7.2-7202
Zohocorp Manageengine Adaudit Plus=7.2-7203
Zohocorp Manageengine Adaudit Plus=7.2-7210
and 5 more
CVE-2023-48793
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
Zohocorp Manageengine Adaudit Plus<7.2
Zohocorp Manageengine Adaudit Plus=7.2-7200
Zohocorp Manageengine Adaudit Plus=7.2-7201
Zohocorp Manageengine Adaudit Plus=7.2-7202
Zohocorp Manageengine Adaudit Plus=7.2-7203
Zohocorp Manageengine Adaudit Plus=7.2-7210
and 9 more
CVE-2023-50785
Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal.
Zohocorp Manageengine Adaudit Plus=7.2-7200
Zohocorp Manageengine Adaudit Plus=7.2-7201
Zohocorp Manageengine Adaudit Plus=7.2-7202
Zohocorp Manageengine Adaudit Plus=7.2-7203
Zohocorp Manageengine Adaudit Plus=7.2-7210
Zohocorp Manageengine Adaudit Plus=7.2-7211
and 7 more
CVE-2023-49943
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus<14.5
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.5-14500
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.5-14501
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.5-14502
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.5-14503
CVE-2024-0252
Remote code execution
Zohocorp Manageengine Adselfservice Plus<6.4
Zohocorp Manageengine Adselfservice Plus=6.4-6400
Zohocorp Manageengine Adselfservice Plus=6.4-6401
CVE-2023-47211
A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send...
Zohocorp Manageengine Firewall Analyzer<12.7
Zohocorp Manageengine Firewall Analyzer=12.7-build127000
Zohocorp Manageengine Firewall Analyzer=12.7-build127101
Zohocorp Manageengine Firewall Analyzer=12.7-build127130
Zohocorp Manageengine Firewall Analyzer=12.7-build127131
Zohocorp Manageengine Firewall Analyzer=12.7-build127187
and 91 more
CVE-2023-50891
WordPress Zoho Forms Plugin <= 3.0.1 is vulnerable to Cross Site Scripting (XSS)
<=3.0.1
CVE-2023-48646
Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings.
Zohocorp Manageengine Recoverymanager Plus<6.0
Zohocorp Manageengine Recoverymanager Plus=6.0-build6001
Zohocorp Manageengine Recoverymanager Plus=6.0-build6003
Zohocorp Manageengine Recoverymanager Plus=6.0-build6005
Zohocorp Manageengine Recoverymanager Plus=6.0-build6011
Zohocorp Manageengine Recoverymanager Plus=6.0-build6016
and 23 more
CVE-2023-6105
ManageEngine Information Disclosure in Multiple Products
Zoho ManageEngine<5.3
Zohocorp Manageengine Appcreator<2.0.0
Zohocorp Manageengine Application Control Plus<11.2.2328.01
Zohocorp Manageengine Browser Security Plus<11.2.2328.01
Zoho ManageEngine<11.2.2328.01
Zohocorp Manageengine Endpoint Central<11.2.2322.01
and 782 more
CVE-2023-4769
Server-Side Request Forgery in ManageEngine Desktop Central
Zohocorp Manageengine Desktop Central=9.1.0
CVE-2023-4768
Improper Neutralization of CRLF Sequences in ManageEngine Desktop Central
Zohocorp Manageengine Desktop Central=9.1.0
CVE-2023-4767
Improper Neutralization of CRLF Sequences in ManageEngine Desktop Central
Zohocorp Manageengine Desktop Central=9.1.0
CVE-2023-41904
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
Zohocorp Manageengine Admanager Plus<7.2
Zohocorp Manageengine Admanager Plus=7.2-7200
Zohocorp Manageengine Admanager Plus=7.2-7201
Zohocorp Manageengine Admanager Plus=7.2-7202
CVE-2023-38743
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine.
Zohocorp Manageengine Admanager Plus<7.2
CVE-2023-35719
(0Day) ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
Zohocorp Manageengine Adselfservice Plus=6.1-6122
ManageEngine ADSelfService Plus
CVE-2023-39912
Zoho ManageEngine ADManager Plus before 7203 allows Help Desk Technician users to read arbitrary files on the machine where this product is installed.
<=7202
Zohocorp Manageengine Admanager Plus<=7202
CVE-2023-35785
Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer 6993 and below and 7xxx 7002 and below, Cloud Security Plus 4...
Zohocorp Manageengine Ad360<4.3
Zohocorp Manageengine Ad360=4.3-4300
Zohocorp Manageengine Ad360=4.3-4302
Zohocorp Manageengine Ad360=4.3-4303
Zohocorp Manageengine Ad360=4.3-4304
Zohocorp Manageengine Ad360=4.3-4305
and 229 more
CVE-2023-31492
Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users.
Zohocorp Manageengine Admanager Plus<7.1
Zohocorp Manageengine Admanager Plus=7.1
Zohocorp Manageengine Admanager Plus=7.1-7100
Zohocorp Manageengine Admanager Plus=7.1-7101
Zohocorp Manageengine Admanager Plus=7.1-7102
Zohocorp Manageengine Admanager Plus=7.1-7110
and 30 more
CVE-2020-27449
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafte...
Zohocorp Manageengine Password Manager Pro=11.1-build_11101
CVE-2023-38333
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
Zohocorp Manageengine Applications Manager<16.5
Zohocorp Manageengine Applications Manager=16.5
Zohocorp Manageengine Applications Manager=16.5-build16500
Zohocorp Manageengine Applications Manager=16.5-build16510
Zohocorp Manageengine Applications Manager=16.5-build16511
Zohocorp Manageengine Applications Manager=16.5-build16520
and 1 more
CVE-2023-32783
The event analysis component in Zoho ManageEngine ADAudit Plus 7.1.1 allows an attacker to bypass audit detection by creating or renaming user accounts with a "$" symbol suffix.
Zohocorp Manageengine Adaudit Plus=7.1.1
Microsoft Windows
=7.1.1
CVE-2023-38332
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user's account via sensitive information disclosure.
Zohocorp Manageengine Admanager Plus<7.2
Zohocorp Manageengine Admanager Plus=7.2-7200
Zohocorp Manageengine Admanager Plus=7.2-7201
CVE-2023-29505
An issue was discovered in Zoho ManageEngine Network Configuration Manager 12.6.165. The WebSocket endpoint allows Cross-site WebSocket hijacking.
Zohocorp Manageengine Network Configuration Manager=12.6-build126165
CVE-2023-38331
Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module.
Zohocorp Manageengine Supportcenter Plus=8.0-8015
Zohocorp Manageengine Supportcenter Plus=8.1-8100
Zohocorp Manageengine Supportcenter Plus=8.1-8101
Zohocorp Manageengine Supportcenter Plus=8.1-8102
Zohocorp Manageengine Supportcenter Plus=8.1-8117
Zohocorp Manageengine Supportcenter Plus=8.1-8118
and 8 more
CVE-2023-37308
Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.
Zohocorp Manageengine Adaudit Plus<7.0
Zohocorp Manageengine Adaudit Plus=7.0
Zohocorp Manageengine Adaudit Plus=7.0-7000
Zohocorp Manageengine Adaudit Plus=7.0-7002
Zohocorp Manageengine Adaudit Plus=7.0-7003
Zohocorp Manageengine Adaudit Plus=7.0-7004
and 19 more
CVE-2023-34197
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unpr...
Zohocorp Manageengine Servicedesk Plus<14.2
Zohocorp Manageengine Servicedesk Plus=14.2-14200
Zohocorp Manageengine Servicedesk Plus=14.2-14201
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus<14.2
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.2-14200
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=14.2-14201
and 4 more
CVE-2023-35854
** DISPUTED ** Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achievin...
Zohocorp Manageengine Adselfservice Plus<6.1
Zohocorp Manageengine Adselfservice Plus=6.1
Zohocorp Manageengine Adselfservice Plus=6.1-6100
Zohocorp Manageengine Adselfservice Plus=6.1-6101
Zohocorp Manageengine Adselfservice Plus=6.1-6102
Zohocorp Manageengine Adselfservice Plus=6.1-6103
and 24 more
CVE-2023-31099
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
Zohocorp Manageengine Opmanager<12.6
Zohocorp Manageengine Opmanager=12.6-build126000
Zohocorp Manageengine Opmanager=12.6-build126001
Zohocorp Manageengine Opmanager=12.6-build126002
Zohocorp Manageengine Opmanager=12.6-build126004
Zohocorp Manageengine Opmanager=12.6-build126005
and 63 more
CVE-2023-2291
Zohocorp Manageengine Access Manager Plus=4.3-build4309
Zohocorp Manageengine Pam360
Zohocorp Manageengine Password Manager Pro
CVE-2023-29443
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a ...
Zohocorp Manageengine Assetexplorer=6.9-6980
Zohocorp Manageengine Assetexplorer=6.9-6981
Zohocorp Manageengine Assetexplorer=6.9-6982
Zohocorp Manageengine Assetexplorer=6.9-6983
Zohocorp Manageengine Assetexplorer=6.9-6984
Zohocorp Manageengine Assetexplorer=6.9-6985
and 16 more
CVE-2023-29442
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
Zohocorp Manageengine Applications Manager<16.3
Zohocorp Manageengine Applications Manager=16.3-build16300
Zohocorp Manageengine Applications Manager=16.3-build16310
Zohocorp Manageengine Applications Manager=16.3-build16320
Zohocorp Manageengine Applications Manager=16.3-build16330
Zohocorp Manageengine Applications Manager=16.3-build16340
and 6 more
CVE-2023-29084
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
Zohocorp Manageengine Admanager Plus<7.1
Zohocorp Manageengine Admanager Plus=7.1-7100
Zohocorp Manageengine Admanager Plus=7.1-7101
Zohocorp Manageengine Admanager Plus=7.1-7102
Zohocorp Manageengine Admanager Plus=7.1-7110
Zohocorp Manageengine Admanager Plus=7.1-7111
and 27 more
CVE-2023-28341
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details pag...
Zohocorp Manageengine Applications Manager>=16.0<16.3
Zohocorp Manageengine Applications Manager=15.9-build15990
Zohocorp Manageengine Applications Manager=16.3-build16300
Zohocorp Manageengine Applications Manager=16.3-build16310
Zohocorp Manageengine Applications Manager=16.3-build16320
Zohocorp Manageengine Applications Manager=16.3-build16330
and 1 more
CVE-2023-28340
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
Zohocorp Manageengine Applications Manager<16.3
Zohocorp Manageengine Applications Manager=16.3-build16300
Zohocorp Manageengine Applications Manager=16.3-build16310
Zohocorp Manageengine Applications Manager=16.3-build16320
CVE-2023-28342
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
Zohocorp Manageengine Adselfservice Plus=4.5-4510
Zohocorp Manageengine Adselfservice Plus=4.5-4511
Zohocorp Manageengine Adselfservice Plus=4.5-4520
Zohocorp Manageengine Adselfservice Plus=4.5-4522
Zohocorp Manageengine Adselfservice Plus=4.5-4531
Zohocorp Manageengine Adselfservice Plus=4.5-4540
and 198 more
CVE-2022-43473
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a ma...
Zohocorp Manageengine Opmanager<12.6
Zohocorp Manageengine Opmanager=12.6-build126000
Zohocorp Manageengine Opmanager=12.6-build126001
Zohocorp Manageengine Opmanager=12.6-build126002
Zohocorp Manageengine Opmanager=12.6-build126004
Zohocorp Manageengine Opmanager=12.6-build126005
and 75 more
CVE-2022-36413
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
Zohocorp Manageengine Adselfservice Plus<6.2
Zohocorp Manageengine Adselfservice Plus=6.2-6200
Zohocorp Manageengine Adselfservice Plus=6.2-6201
Zohocorp Manageengine Adselfservice Plus=6.2-6202
Zohocorp Manageengine Adselfservice Plus=6.2-6203
Zohocorp Manageengine Adselfservice Plus=6.2-6204
and 13 more
CVE-2023-26601
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
Zohocorp Manageengine Assetexplorer<6.9
Zohocorp Manageengine Assetexplorer=6.9
Zohocorp Manageengine Assetexplorer=6.9-6900
Zohocorp Manageengine Assetexplorer=6.9-6901
Zohocorp Manageengine Assetexplorer=6.9-6902
Zohocorp Manageengine Assetexplorer=6.9-6903
and 42 more
CVE-2023-26600
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
Zohocorp Manageengine Assetexplorer<6.9
Zohocorp Manageengine Assetexplorer=6.9
Zohocorp Manageengine Assetexplorer=6.9-6900
Zohocorp Manageengine Assetexplorer=6.9-6901
Zohocorp Manageengine Assetexplorer=6.9-6902
Zohocorp Manageengine Assetexplorer=6.9-6903
and 74 more
CVE-2022-48362
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrar...
Zohocorp Manageengine Desktop Central<10.1.2137.2
Zohocorp Manageengine Desktop Central<10.1.2137.2
CVE-2023-0169
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow us...
Zohocorp Zoho Forms<3.0.1
CVE-2023-23078
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
Zohocorp Manageengine Servicedesk Plus=14.0
Zohocorp Manageengine Servicedesk Plus=14.0-14000
Zohocorp Manageengine Servicedesk Plus=14.0-14001
Zohocorp Manageengine Servicedesk Plus=14.0-14002
Zohocorp Manageengine Servicedesk Plus=14.0-14003
Zohocorp Manageengine Servicedesk Plus=14.0-14004
and 2 more
CVE-2023-23075
Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation.
Zohocorp Manageengine Assetexplorer=6.9
Zohocorp Manageengine Assetexplorer=6.9-6900
Zohocorp Manageengine Assetexplorer=6.9-6901
Zohocorp Manageengine Assetexplorer=6.9-6902
Zohocorp Manageengine Assetexplorer=6.9-6903
Zohocorp Manageengine Assetexplorer=6.9-6904
and 32 more
CVE-2023-23074
Zohocorp Manageengine Servicedesk Plus=14.0
Zohocorp Manageengine Servicedesk Plus=14.0-14000
Zohocorp Manageengine Servicedesk Plus=14.0-14001
Zohocorp Manageengine Servicedesk Plus=14.0-14002
Zohocorp Manageengine Servicedesk Plus=14.0-14003
Zohocorp Manageengine Servicedesk Plus=14.0-14004
and 2 more
CVE-2023-23076
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.
Zohocorp Manageengine Supportcenter Plus=11.0
Zohocorp Manageengine Supportcenter Plus=11.0-11001
Zohocorp Manageengine Supportcenter Plus=11.0-11002
Zohocorp Manageengine Supportcenter Plus=11.0-11003
Zohocorp Manageengine Supportcenter Plus=11.0-11004
Zohocorp Manageengine Supportcenter Plus=11.0-11005
and 21 more
CVE-2023-23073
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
Zohocorp Manageengine Servicedesk Plus=14.0
Zohocorp Manageengine Servicedesk Plus=14.0-14000
Zohocorp Manageengine Servicedesk Plus=14.0-14001
Zohocorp Manageengine Servicedesk Plus=14.0-14002
Zohocorp Manageengine Servicedesk Plus=14.0-14003
Zohocorp Manageengine Servicedesk Plus=14.0-14004
and 2 more
CVE-2023-22964
Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10600
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10601
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10602
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10603
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10604
Zoho ManageEngine ServiceDesk Plus (SDP) / SupportCenter Plus=10.6-10605
and 9 more
CVE-2022-47966
Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability
Zohocorp Manageengine Access Manager Plus<4.3
Zohocorp Manageengine Access Manager Plus=4.3-build4300
Zohocorp Manageengine Access Manager Plus=4.3-build4301
Zohocorp Manageengine Access Manager Plus=4.3-build4302
Zohocorp Manageengine Access Manager Plus=4.3-build4303
Zohocorp Manageengine Access Manager Plus=4.3-build4304
and 153 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203