Filtered by vendor Manageengine
Subscribe
Total
476 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-6105 | 3 Linux, Microsoft, Zohocorp | 41 Linux Kernel, Windows, Manageengine Access Manager Plus and 38 more | 2023-11-29 | N/A | 5.5 MEDIUM |
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. | |||||
CVE-2023-48646 | 2023-11-22 | N/A | N/A | ||
Zoho ManageEngine RecoveryManager Plus before 6070 allows admin users to execute arbitrary commands via proxy settings. | |||||
CVE-2023-41356 | 1 Wisdomgarden | 1 Tronclass Ilearn | 2023-11-14 | N/A | 6.5 MEDIUM |
NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files. | |||||
CVE-2023-41344 | 1 Ncsist | 1 Mobile Device Manager | 2023-11-13 | N/A | 7.5 HIGH |
NCSIST ManageEngine Mobile Device Manager(MDM) APP's special function has a path traversal vulnerability. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication and read arbitrary system files. | |||||
CVE-2023-4769 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-11-13 | N/A | 8.8 HIGH |
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests. | |||||
CVE-2023-4768 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-11-13 | N/A | 6.1 MEDIUM |
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf. | |||||
CVE-2023-4767 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-11-13 | N/A | 6.1 MEDIUM |
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | |||||
CVE-2023-35854 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-11-07 | N/A | 9.8 CRITICAL |
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability." | |||||
CVE-2022-47578 | 1 Zohocorp | 1 Manageengine Device Control Plus | 2023-11-07 | N/A | 7.8 HIGH |
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by booting into Safe Mode. This allows a file to be exchanged outside the laptop/system. Safe Mode can be launched by any user (even without admin rights). Data exfiltration can occur, and also malware might be introduced onto the system. NOTE: the vendor's position is "it's not a vulnerability in our product." | |||||
CVE-2022-47577 | 1 Zohocorp | 1 Manageengine Device Control Plus | 2023-11-07 | N/A | 7.8 HIGH |
An issue was discovered in the endpoint protection agent in Zoho ManageEngine Device Control Plus 10.1.2228.15. Despite configuring complete restrictions on USB pendrives, USB HDD devices, memory cards, USB connections to mobile devices, etc., it is still possible to bypass the USB restrictions by making use of a virtual machine (VM). This allows a file to be exchanged outside the laptop/system. VMs can be created by any user (even without admin rights). The data exfiltration can occur without any record in the audit trail of Windows events on the host machine. NOTE: the vendor's position is "it's not a vulnerability in our product." | |||||
CVE-2022-43473 | 1 Zohocorp | 3 Manageengine Opmanager, Manageengine Opmanager Msp, Manageengine Opmanager Plus | 2023-11-07 | N/A | 5.4 MEDIUM |
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. | |||||
CVE-2021-41080 | 1 Zohocorp | 1 Manageengine Network Configuration Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a hardware details search. | |||||
CVE-2021-41081 | 1 Zohocorp | 1 Manageengine Network Configuration Manager | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine Network Configuration Manager before ??125465 is vulnerable to SQL Injection in a configuration search. | |||||
CVE-2021-33256 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-11-07 | 9.3 HIGH | 8.8 HIGH |
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. | |||||
CVE-2020-9347 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2023-11-07 | 7.5 HIGH | 9.8 CRITICAL |
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products | |||||
CVE-2020-24786 | 1 Zohocorp | 11 Manageengine Ad360, Manageengine Adaudit Plus, Manageengine Admanager Plus and 8 more | 2023-11-07 | 10.0 HIGH | 9.8 CRITICAL |
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise. | |||||
CVE-2019-15045 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality | |||||
CVE-2018-7248 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2023-11-07 | 5.0 MEDIUM | 5.3 MEDIUM |
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. | |||||
CVE-2023-41904 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-09-28 | N/A | 5.4 MEDIUM |
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs. | |||||
CVE-2023-38743 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2023-09-13 | N/A | 7.2 HIGH |
Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine. |