Vulnerabilities > Zohocorp

DATE CVE VULNERABILITY TITLE RISK
2022-05-24 CVE-2022-23050 Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Applications Manager
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
network
low complexity
zohocorp CWE-434
6.5
2022-05-20 CVE-2022-28987 Unspecified vulnerability in Zohocorp Manageengine Adselfservice Plus 6.1
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
network
low complexity
zohocorp
5.0
2022-05-05 CVE-2022-29535 SQL Injection vulnerability in Zohocorp Manageengine Opmanager
Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
network
low complexity
zohocorp CWE-89
7.5
2022-04-28 CVE-2022-29081 Incorrect Authorization vulnerability in Zohocorp products
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction.
network
low complexity
zohocorp CWE-863
7.5
2022-04-18 CVE-2022-29457 Insufficiently Protected Credentials vulnerability in Zohocorp products
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
network
low complexity
zohocorp CWE-522
6.5
2022-04-18 CVE-2022-27908 SQL Injection vulnerability in Zohocorp Manageengine Opmanager
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
network
low complexity
zohocorp CWE-89
6.5
2022-04-18 CVE-2022-28810 OS Command Injection vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature.
network
high complexity
zohocorp CWE-78
7.1
2022-04-16 CVE-2022-26653 Exposure of Resource to Wrong Sphere vulnerability in Zohocorp Manageengine Remote Access Plus
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view domain details (such as the username and GUID of an administrator).
network
low complexity
zohocorp CWE-668
5.0
2022-04-16 CVE-2022-26777 Exposure of Resource to Wrong Sphere vulnerability in Zohocorp Manageengine Remote Access Plus
Zoho ManageEngine Remote Access Plus before 10.1.2137.15 allows guest users to view license details.
network
low complexity
zohocorp CWE-668
5.0
2022-04-07 CVE-2022-24681 Cross-site Scripting vulnerability in Zohocorp Manageengine Adselfservice Plus
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
network
zohocorp CWE-79
4.3