Vulnerabilities > Zohocorp > Manageengine Applications Manager > 11.2

DATE CVE VULNERABILITY TITLE RISK
2020-09-25 CVE-2020-15394 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2020-09-04 CVE-2020-14008 Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
network
low complexity
zohocorp CWE-434
7.2
7.2
2020-03-13 CVE-2019-19799 Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
network
low complexity
zohocorp CWE-306
5.3
5.3
2020-02-08 CVE-2014-7863 Information Exposure vulnerability in Zohocorp products
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
network
low complexity
zohocorp CWE-200
7.5
7.5
2019-12-11 CVE-2019-19650 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
network
low complexity
zohocorp CWE-89
8.8
8.8
2019-12-11 CVE-2019-19649 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2019-04-22 CVE-2019-11448 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2018-08-08 CVE-2018-15169 Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter.
network
low complexity
zohocorp CWE-79
6.1
6.1
2018-08-08 CVE-2018-15168 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2018-06-29 CVE-2018-12996 Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
network
low complexity
zohocorp CWE-79
6.1
6.1