Filtered by vendor Zohocorp
Subscribe
Total
484 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-23078 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-27 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. | |||||
| CVE-2023-23077 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-27 | N/A | 6.1 MEDIUM |
| Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. | |||||
| CVE-2023-23076 | 1 Zohocorp | 1 Manageengine Supportcenter Plus | 2025-03-27 | N/A | 9.8 CRITICAL |
| OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. | |||||
| CVE-2022-35405 | 1 Zohocorp | 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro | 2025-03-27 | N/A | 9.8 CRITICAL |
| Zoho ManageEngine Password Manager Pro before 12101 and PAM360 before 5510 are vulnerable to unauthenticated remote code execution. (This also affects ManageEngine Access Manager Plus before 4303 with authentication.) | |||||
| CVE-2022-28810 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-03-27 | 7.1 HIGH | 6.8 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | |||||
| CVE-2024-50053 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcentre Plus | 2025-03-27 | N/A | 6.3 MEDIUM |
| Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature. | |||||
| CVE-2023-0169 | 1 Zohocorp | 1 Zoho Forms | 2025-03-21 | N/A | 5.4 MEDIUM |
| The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2019-8394 | 1 Zohocorp | 1 Manageengine Servicedesk Plus | 2025-03-14 | 4.0 MEDIUM | 6.5 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | |||||
| CVE-2020-10189 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | |||||
| CVE-2021-44515 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-14 | 10.0 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. | |||||
| CVE-2021-44077 | 1 Zohocorp | 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus | 2025-03-14 | 7.5 HIGH | 9.8 CRITICAL |
| Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | |||||
| CVE-2022-48362 | 1 Zohocorp | 1 Manageengine Desktop Central | 2025-03-11 | N/A | 8.8 HIGH |
| Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | |||||
| CVE-2023-38333 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-03-07 | N/A | 6.1 MEDIUM |
| Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. | |||||
| CVE-2023-26600 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-03-06 | N/A | 6.5 MEDIUM |
| ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. | |||||
| CVE-2023-6105 | 3 Linux, Microsoft, Zohocorp | 41 Linux Kernel, Windows, Manageengine Access Manager Plus and 38 more | 2025-02-13 | N/A | 5.5 MEDIUM |
| An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. | |||||
| CVE-2023-28342 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2025-02-13 | N/A | 7.5 HIGH |
| Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. | |||||
| CVE-2023-28341 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-02-10 | N/A | 6.1 MEDIUM |
| Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page. | |||||
| CVE-2023-28340 | 1 Zohocorp | 1 Manageengine Applications Manager | 2025-02-10 | N/A | 6.5 MEDIUM |
| Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. | |||||
| CVE-2023-29084 | 1 Zohocorp | 1 Manageengine Admanager Plus | 2025-02-07 | N/A | 7.2 HIGH |
| Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings. | |||||
| CVE-2023-29443 | 1 Zohocorp | 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2025-02-03 | N/A | 4.9 MEDIUM |
| Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. | |||||