anchore_overrides,nvd
Zohocorp
Vulnerabilities
554
Known exploited
9
Critical
142
High
188
Top products
Manageengine Applications Manager56Manageengine Opmanager56Manageengine Admanager Plus53Manageengine Adaudit Plus52Manageengine Adselfservice Plus51Manageengine Servicedesk Plus50Manageengine Desktop Central48Manageengine Supportcenter Plus31Manageengine Exchange Reporter Plus28Manageengine Netflow Analyzer28Manageengine Assetexplorer26Manageengine Servicedesk Plus Msp26Manageengine Password Manager Pro22Manageengine Eventlog Analyzer19Manageengine Network Configuration Manager14Manageengine Pam36014Manageengine Remote Access Plus14Manageengine Firewall Analyzer12Manageengine Access Manager Plus11Manageengine It3609
Top vulnerabilities
CVE-2019-3905Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
CVE-2017-7213Zoho ManageEngine Desktop Central before build 100082 allows remote attackers to obtain control over all connected active desktops via unspecified vectors.
CVE-2014-9371The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
CVE-2024-5471Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to agent takeover vulnerability due to the hard-coded sensitive keys.
CVE-2023-48793Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
CVE-2023-48792Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
CVE-2023-35854Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
CVE-2023-23076OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.
CVE-2022-47523Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
CVE-2022-43672Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
CVE-2022-43671Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
CVE-2022-40300Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
CVE-2022-36412In Zoho ManageEngine SupportCenter Plus before 11023, V3 API requests are vulnerable to authentication bypass. (An API request may, in effect, be executed with the credentials of a user who authenticated in the past.)
CVE-2022-35405Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.)
CVE-2022-29535Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.
CVE-2022-29081Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
CVE-2022-28219Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
CVE-2022-24306Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
CVE-2022-24305Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.
CVE-2021-44676Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.
CVE-2021-44675Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.
CVE-2021-44526Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
CVE-2021-44525Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.
CVE-2021-44515Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
CVE-2021-44514OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.