Vulnerabilities > Zohocorp
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-02-19 | CVE-2017-16924 | Use of Insufficiently Random Values vulnerability in Zohocorp Manageengine Desktop Central 10.0.137 Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. | 5.0 |
| 2018-02-07 | CVE-2017-17552 | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Admanager Plus /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted. | 6.8 |
| 2018-01-04 | CVE-2014-7862 | Permissions, Privileges, and Access Controls vulnerability in Zohocorp Desktop Central The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action. | 7.5 |
| 2017-12-15 | CVE-2017-17698 | Cross-site Scripting vulnerability in Zohocorp Manageengine Password Manager PRO Zoho ManageEngine Password Manager Pro 9 before 9.4 (9400) has reflected XSS in SearchResult.ec and BulkAccessControlView.ec. | 4.3 |
| 2017-11-16 | CVE-2017-16851 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | 7.5 |
| 2017-11-16 | CVE-2017-16850 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | 7.5 |
| 2017-11-16 | CVE-2017-16849 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. | 7.5 |
| 2017-11-16 | CVE-2017-16848 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. | 7.5 |
| 2017-11-16 | CVE-2017-16847 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. | 7.5 |
| 2017-11-16 | CVE-2017-16846 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. | 7.5 |