Filtered by vendor Zohocorp
Subscribe
Total
458 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2017-17698 | 1 Zohocorp | 1 Manageengine Password Manager Pro | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | |||||
CVE-2015-9107 | 1 Zohocorp | 1 Manageengine Opmanager | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | |||||
CVE-2017-14123 | 1 Zohocorp | 1 Manageengine Firewall Analyzer | 2023-12-10 | 9.0 HIGH | 8.8 HIGH |
Zoho ManageEngine Firewall Analyzer 12200 has an unrestricted File Upload vulnerability in the "Group Chat" section. Any user can upload files with any extensions. By uploading a PHP file to the server, an attacker can cause it to execute in the server context, as demonstrated by /itplus/FileStorage/302/shell.jsp. | |||||
CVE-2017-11685 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2023-12-10 | 4.3 MEDIUM | 6.1 MEDIUM |
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web script or HTML, as demonstrated by the fName parameter. | |||||
CVE-2016-4890 | 1 Zohocorp | 1 Servicedesk Plus | 2023-12-10 | 5.0 MEDIUM | 5.3 MEDIUM |
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | |||||
CVE-2016-6600 | 1 Zohocorp | 1 Webnms Framework | 2023-12-10 | 7.5 HIGH | 9.8 CRITICAL |
Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet. | |||||
CVE-2016-6603 | 1 Zohocorp | 1 Webnms Framework | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | |||||
CVE-2017-7213 | 1 Zohocorp | 1 Manageengine Desktop Central | 2023-12-10 | 10.0 HIGH | 10.0 CRITICAL |
Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors. | |||||
CVE-2016-6601 | 1 Zohocorp | 1 Webnms Framework | 2023-12-10 | 5.0 MEDIUM | 7.5 HIGH |
Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. | |||||
CVE-2016-1161 | 1 Zohocorp | 1 Password Manager Pro | 2023-12-10 | 6.0 MEDIUM | 8.0 HIGH |
Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). | |||||
CVE-2016-4889 | 1 Zohocorp | 1 Servicedesk Plus | 2023-12-10 | 6.5 MEDIUM | 8.8 HIGH |
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | |||||
CVE-2016-4888 | 1 Zohocorp | 1 Servicedesk Plus | 2023-12-10 | 3.5 LOW | 5.4 MEDIUM |
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
CVE-2016-6602 | 1 Zohocorp | 1 Webnms Framework | 2023-12-10 | 5.0 MEDIUM | 9.8 CRITICAL |
ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. | |||||
CVE-2015-2169 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned. | |||||
CVE-2015-5061 | 1 Zohocorp | 1 Manageengine Assetexplorer | 2023-12-10 | 3.5 LOW | N/A |
Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do. | |||||
CVE-2015-7387 | 1 Zohocorp | 1 Manageengine Eventlog Analyzer | 2023-12-10 | 7.5 HIGH | N/A |
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200. | |||||
CVE-2015-5150 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2023-12-10 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp. | |||||
CVE-2015-7766 | 1 Zohocorp | 1 Manageengine Opmanager | 2023-12-10 | 9.0 HIGH | N/A |
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO." | |||||
CVE-2015-4418 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2023-12-10 | 5.0 MEDIUM | N/A |
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | |||||
CVE-2015-2960 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2023-12-10 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |