Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
Zohocorp ManageEngine DDI Central versions 4001 and prior were vulnerable to directory traversal vulnerability which allows the user to upload new files to the server folder.
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: database access using a superuser account (specifically, an account with permission to write to the filesystem via SQL queries).
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: network services (Desktop Central and PostgreSQL) running with a superuser account.
Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown. This issue has been fixed and released in version 7271.
ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while getting aggregate report data.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while getting file server details.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection while adding file shares.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the aggregate reports search option.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL Injection while exporting a full summary report.
A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests.
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter.
ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
ManageEngine ADManager Plus Build 7111 contains a post-authentication remote code execution vulnerability due to improperly validated file uploads in the Personalization interface.
Auth. (subscriber+) Arbitrary Options Update vulnerability in Zoho CRM Lead Magnet plugin <= 1.7.5.8 on WordPress.
Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, and OpUtils before 2022-07-29 through 2022-07-30 ( 125658, 126003, 126105, and 126120) allow authenticated users to make database changes that lead to remote code execution.
Zohocorp ManageEngine Password Manager Pro versions before 12431 and ManageEngine PAM360 versions before 7001 are affected by authenticated SQL Injection vulnerability via a global search option.
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to the authenticated SQL injection in extranet lockouts report option.
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in file auditing configuration.
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in reports module.
Zohocorp ManageEngine ADAudit Plus versions below 8000 are vulnerable to the authenticated SQL injection in aggregate reports option.
Zohocorp ManageEngine ADAudit Plus versions below 8110 are vulnerable to authenticated SQL Injection in attack surface analyzer's export option.
Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
Zoho ManageEngine ADAudit Plus before 7055 allows authenticated Privilege Escalation on Integrated products. This occurs because a password field is present in a JSON response.
Zoho ManageEngine ADAudit Plus versions below 7271 allows SQL injection in the dashboard graph feature.
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
Zoho ManageEngine M365 Manager Plus before Build 4419 allows remote command execution when updating proxy settings through the Admin ProxySettings and Tenant ProxySettings components.
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.
Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.
Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.
Zoho ManageEngine CloudSecurityPlus before Build 4117 allows remote code execution through the updatePersonalizeSettings component due to an improper security patch for CVE-2021-40175.
Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.
An issue was discovered in Zoho ManageEngine EventLog Analyzer 10.0 SP1 before Build 12110. By running "select hostdetails from hostdetails" at the /event/runquery.do endpoint, it is possible to bypass the security restrictions that prevent even administrative users from viewing credential data stored in the database, and recover the MD5 hashes of the accounts used to authenticate the ManageEngine platform to the managed machines on the network (most often administrative accounts). Specifically, this bypasses these restrictions: a query cannot mention password, and a query result cannot have a password column.