Vulnerabilities > Zohocorp > Manageengine Applications Manager

DATE CVE VULNERABILITY TITLE RISK
2020-03-13 CVE-2019-19799 Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.
network
low complexity
zohocorp CWE-306
5.3
5.3
2020-02-08 CVE-2014-7863 Information Exposure vulnerability in Zohocorp products
The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.
network
low complexity
zohocorp CWE-200
7.5
7.5
2020-02-06 CVE-2019-19800 Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Applications Manager 14.0
Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.
network
low complexity
zohocorp CWE-306
5.3
5.3
2020-01-10 CVE-2019-19475 Incorrect Default Permissions vulnerability in Zohocorp Manageengine Applications Manager 14.3
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360.
network
low complexity
zohocorp CWE-276
8.8
8.8
2019-12-11 CVE-2019-19650 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
network
low complexity
zohocorp CWE-89
8.8
8.8
2019-12-11 CVE-2019-19649 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2019-08-16 CVE-2019-15105 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
An issue was discovered in Zoho ManageEngine Application Manager through 14.2.
network
low complexity
zohocorp CWE-89
8.8
8.8
2019-08-16 CVE-2019-15104 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager
An issue was discovered in Zoho ManageEngine OpManager through 12.4x.
network
low complexity
zohocorp CWE-89
8.8
8.8
2019-05-23 CVE-2017-11557 Information Exposure vulnerability in Zohocorp Manageengine Applications Manager 12.3
An issue was discovered in ZOHO ManageEngine Applications Manager 12.3.
network
low complexity
zohocorp CWE-200
5.3
5.3
2019-05-23 CVE-2017-11740 Improper Input Validation vulnerability in Zohocorp Manageengine Applications Manager 13.1
In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm.
network
low complexity
zohocorp CWE-20
8.8
8.8