Vulnerabilities > Zohocorp > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-04 | CVE-2020-13818 | Path Traversal vulnerability in Zohocorp Manageengine Opmanager In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed. | 7.5 |
| 2020-05-08 | CVE-2020-11531 | Path Traversal vulnerability in Zohocorp products The DataEngine Xnode Server application in Zoho ManageEngine DataSecurity Plus prior to 6.0.1 does not validate the database schema name when handling a DR-SCHEMA-SYNC request. | 8.8 |
| 2020-05-07 | CVE-2020-12116 | Path Traversal vulnerability in Zohocorp Manageengine Opmanager Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. | 7.5 |
| 2020-04-20 | CVE-2020-11946 | Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Opmanager 12.5 Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call. | 7.5 |
| 2020-04-04 | CVE-2020-11527 | Unspecified vulnerability in Zohocorp Manageengine Opmanager In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. | 7.5 |
| 2020-03-30 | CVE-2020-8509 | Missing Authentication for Critical Function vulnerability in Zohocorp Manageengine Desktop Central Zoho ManageEngine Desktop Central before 10.0.483 allows unauthenticated users to access PDFGenerationServlet, leading to sensitive information disclosure. | 7.5 |
| 2020-03-23 | CVE-2019-19034 | OS Command Injection vulnerability in Zohocorp Manageengine Assetexplorer 6.5 Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. | 7.2 |
| 2020-03-19 | CVE-2019-11361 | Incorrect Authorization vulnerability in Zohocorp Manageengine Remote Access Plus 10.0.258 Zoho ManageEngine Remote Access Plus 10.0.258 does not validate user permissions properly, allowing for privilege escalation and eventually a full application takeover. | 8.8 |
| 2020-03-16 | CVE-2020-9346 | Cross-Site Request Forgery (CSRF) vulnerability in Zohocorp Manageengine Password Manager PRO Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. | 8.8 |
| 2020-02-08 | CVE-2014-7863 | Information Exposure vulnerability in Zohocorp products The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet. | 7.5 |