Vulnerabilities > Zohocorp
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-10-09 | CVE-2015-7766 | Permissions, Privileges, and Access Controls vulnerability in Zohocorp Manageengine Opmanager 11.4/11.5/11.6 PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO." | 9.0 |
| 2015-10-09 | CVE-2015-7765 | Hardcoded Password Information Disclosure vulnerability in Zohocorp Manageengine Opmanager 11.5 ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password. | 9.0 |
| 2015-09-28 | CVE-2015-7387 | SQL Injection vulnerability in Zohocorp Manageengine Eventlog Analyzer ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200. | 7.5 |
| 2015-07-08 | CVE-2015-5459 | SQL Injection vulnerability in Zohocorp Manageengine Password Manager PRO SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc. | 6.5 |
| 2015-06-30 | CVE-2015-5150 | Cross-site Scripting vulnerability in Zohocorp Manageengine Supportcenter Plus 7.90 Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp. | 3.5 |
| 2015-06-30 | CVE-2015-5149 | Path Traversal vulnerability in Zohocorp Manageengine Supportcenter Plus 7.90 Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. | 5.5 |
| 2015-06-24 | CVE-2015-5061 | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.1 Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 and earlier allows remote authenticated users with permissions to add new vendors to inject arbitrary web script or HTML via the organizationName parameter to VendorDef.do. | 3.5 |
| 2015-06-24 | CVE-2015-2169 | Cross-site Scripting vulnerability in Zohocorp Manageengine Assetexplorer 6.1 Cross-site scripting (XSS) vulnerability in Zoho ManageEngine AssetExplorer 6.1 service pack 6112 allows remote attackers to inject arbitrary web script or HTML via a Publisher registry entry, which is not properly handled when the machine is scanned. | 4.3 |
| 2015-06-09 | CVE-2015-4418 | Improper Access Control vulnerability in Zohocorp Manageengine Netflow Analyzer Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | 5.0 |
| 2015-06-09 | CVE-2015-2961 | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Netflow Analyzer Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. | 6.8 |