Vulnerabilities > Zohocorp > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-04-18 | CVE-2018-5337 | Path Traversal vulnerability in Zohocorp Manageengine Desktop Central 10.0.124/10.0.184 An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts. | 9.8 |
| 2018-03-08 | CVE-2018-7890 | OS Command Injection vulnerability in Zohocorp Manageengine Applications Manager A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). | 9.8 |
| 2018-02-19 | CVE-2017-16924 | Use of Insufficiently Random Values vulnerability in Zohocorp Manageengine Desktop Central 10.0.137 Remote Information Disclosure and Escalation of Privileges in ManageEngine Desktop Central MSP 10.0.137 allows attackers to download unencrypted XML files containing all data for configuration policies via a predictable /client-data/<client_id>/collections/##/usermgmt.xml URL, as demonstrated by passwords and Wi-Fi keys. | 9.8 |
| 2018-01-04 | CVE-2014-7862 | Permissions, Privileges, and Access Controls vulnerability in Zohocorp Desktop Central The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action. | 9.8 |
| 2017-11-16 | CVE-2017-16851 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter. | 9.8 |
| 2017-11-16 | CVE-2017-16850 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action. | 9.8 |
| 2017-11-16 | CVE-2017-16849 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter. | 9.8 |
| 2017-11-16 | CVE-2017-16848 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter. | 9.8 |
| 2017-11-16 | CVE-2017-16847 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a showPlasmaView action. | 9.8 |
| 2017-11-16 | CVE-2017-16846 | SQL Injection vulnerability in Zohocorp Manageengine Applications Manager 13.0 Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid parameter. | 9.8 |