Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads to Remote Code Execution.
The Custom Report import function in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123224 is vulnerable to XML External Entity (XXE) Injection.
ManageEngine Log360 Builds < 5235 are affected by an improper access control vulnerability allowing database configuration overwrite. An unauthenticated remote attacker can send a specially crafted message to Log360 to change its backend database to an attacker-controlled database and to force Log360 to restart. An attacker can leverage this vulnerability to achieve remote code execution by replacing files executed by Log360 on startup.
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: missing authentication/authorization for a database query mechanism.
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: a missing server-side check on the file type/extension when uploading and modifying scripts.
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled.
Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation.
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: insufficient enforcement of database query type restrictions.
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role.
An issue was discovered in Zoho ManageEngine Desktop Central 10.0.124 and 10.0.184: directory traversal in the SCRIPT_NAME field when modifying existing scripts.
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
Zoho ManageEngine PAM360 before build 5303 allows attackers to modify a few aspects of application state because of a filter bypass in which authentication is not required.
Zoho ManageEngine Access Manager Plus before 4203 allows anyone to view a few data elements (e.g., access control details) and modify a few aspects of the application state.
OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
Zoho ManageEngine M365 Manager Plus before 4421 is vulnerable to file-upload remote code execution.
Zoho ManageEngine Network Configuration Manager before 125488 is vulnerable to command injection due to improper validation in the Ping functionality.
Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
Zoho ManageEngine Network Configuration Manager before 125465 is vulnerable to SQL Injection in a hardware details search.
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution.
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166. The remotely accessible Java servlet com.manageengine.ads.fw.servlet.UpdateProductDetails is prone to an authentication bypass. System integration properties can be modified and lead to full ManageEngine suite compromise.
Zoho ManageEngine ADManager Plus before 7110 allows remote code execution.
A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request.
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules.
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a downloadFileFromProbe operation to the MigrateCentralData servlet.
The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action.
Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. Fixed in Build 11072.
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.