A design issue was discovered in GetInternetRequestHandle, InternetSendRequestEx and InternetSendRequestByBitrate in the client side of Zoho ManageEngine Desktop Central 10.0.552.W and Remote Access Plus before 10.1.2119.1. By exploiting this issue, an attacker-controlled server can force the client to skip TLS certificate validation, leading to a man-in-the-middle attack against HTTPS and unauthenticated remote code execution.
In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
Zoho ManageEngine O365 Manager Plus before Build 4416 allows remote code execution via BCP file overwrite through the ChangeDBAPI component.
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings.
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators.
Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings.
Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings.
/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the reports module.
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in alerts module.
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in file summary option.
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in dashboard. Note: This vulnerability is different from another vulnerability (CVE-2024-36515), both of which have affected ADAudit Plus' dashboard.
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in aggregate reports' search option.
Zohocorp ManageEngine ADAudit Plus versions below 8003 are vulnerable to authenticated SQL Injection in user session recording.
Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.
Zoho ManageEngine ADAudit Plus before 5.0.0 build 5100 allows blind SQL Injection.
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's dashboard.
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.
Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection.
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a configuration search.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection in lockout history option. Note: Non-admin users cannot exploit this vulnerability.
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while getting file server details.
Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report.