Vulnerabilities > Zohocorp
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-06-29 | CVE-2018-12997 | Information Exposure vulnerability in Zohocorp products Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. | 7.5 |
| 2018-06-29 | CVE-2018-12996 | Cross-site Scripting vulnerability in Zohocorp Manageengine Applications Manager A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote attackers to inject arbitrary web script or HTML via the parameter 'method' to GraphicalView.do. | 6.1 |
| 2018-06-06 | CVE-2018-11808 | Improper Input Validation vulnerability in Zohocorp Manageengine Applications Manager 13 Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server. | 9.1 |
| 2018-05-29 | CVE-2018-10466 | SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus 4.1.0/4.5.0 Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection. | 9.8 |
| 2018-05-11 | CVE-2018-7248 | Unspecified vulnerability in Zohocorp Manageengine Servicedesk Plus 9.3 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. | 5.3 |
| 2018-05-10 | CVE-2018-10803 | Cross-site Scripting vulnerability in Zohocorp Manageengine Netflow Analyzer Cross-site scripting (XSS) vulnerability in the add credentials functionality in Zoho ManageEngine NetFlow Analyzer v12.3 before 12.3.125 (build 123125) allows remote attackers to inject arbitrary web script or HTML via a crafted description value. | 6.1 |
| 2018-04-18 | CVE-2018-5342 | Incorrect Permission Assignment for Critical Resource vulnerability in Zohocorp Manageengine Desktop Central 10.0.124/10.0.184 An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account. | 7.2 |
| 2018-04-18 | CVE-2018-5341 | Improper Input Validation vulnerability in Zohocorp Manageengine Desktop Central 10.0.124/10.0.184 An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts. | 9.8 |
| 2018-04-18 | CVE-2018-5340 | Unspecified vulnerability in Zohocorp Manageengine Desktop Central 10.0.124/10.0.184 An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries). | 7.2 |
| 2018-04-18 | CVE-2018-5339 | Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Desktop Central 10.0.124/10.0.184 An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions. | 9.8 |