Vulnerabilities > Zohocorp > Manageengine Applications Manager

DATE CVE VULNERABILITY TITLE RISK
2018-07-02 CVE-2018-13050 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2018-06-29 CVE-2018-12996 Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do.
network
low complexity
zohocorp CWE-79
6.1
6.1
2018-06-06 CVE-2018-11808 Improper Input Validation vulnerability in Zohocorp Manageengine Applications Manager 13
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
network
low complexity
zohocorp CWE-20
critical
 9.1
9.1
2018-03-08 CVE-2018-7890 OS Command Injection vulnerability in Zohocorp Manageengine Applications Manager
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640).
network
low complexity
zohocorp CWE-78
critical
 9.8
9.8
2017-11-16 CVE-2017-16851 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2017-11-16 CVE-2017-16850 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2017-11-16 CVE-2017-16849 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2017-11-16 CVE-2017-16848 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2017-11-16 CVE-2017-16847 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8
2017-11-16 CVE-2017-16846 SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0
Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter.
network
low complexity
zohocorp CWE-89
critical
 9.8
9.8