Vulnerabilities (CVE)

Filtered by vendor Zohocorp Subscribe
Total 503 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-0169 1 Zohocorp 1 Zoho Forms 2025-03-21 N/A 5.4 MEDIUM
The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
CVE-2019-8394 1 Zohocorp 1 Manageengine Servicedesk Plus 2025-03-14 4.0 MEDIUM 6.5 MEDIUM
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2020-10189 1 Zohocorp 1 Manageengine Desktop Central 2025-03-14 10.0 HIGH 9.8 CRITICAL
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CVE-2021-44515 1 Zohocorp 1 Manageengine Desktop Central 2025-03-14 10.0 HIGH 9.8 CRITICAL
Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3.
CVE-2021-44077 1 Zohocorp 3 Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus 2025-03-14 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
CVE-2022-48362 1 Zohocorp 1 Manageengine Desktop Central 2025-03-11 N/A 8.8 HIGH
Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
CVE-2023-38333 1 Zohocorp 1 Manageengine Applications Manager 2025-03-07 N/A 6.1 MEDIUM
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
CVE-2023-26600 1 Zohocorp 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more 2025-03-06 N/A 6.5 MEDIUM
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
CVE-2023-6105 3 Linux, Microsoft, Zohocorp 41 Linux Kernel, Windows, Manageengine Access Manager Plus and 38 more 2025-02-13 N/A 5.5 MEDIUM
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database.
CVE-2023-28342 1 Zohocorp 1 Manageengine Adselfservice Plus 2025-02-13 N/A 7.5 HIGH
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
CVE-2023-28341 1 Zohocorp 1 Manageengine Applications Manager 2025-02-10 N/A 6.1 MEDIUM
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
CVE-2023-28340 1 Zohocorp 1 Manageengine Applications Manager 2025-02-10 N/A 6.5 MEDIUM
Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
CVE-2023-29084 1 Zohocorp 1 Manageengine Admanager Plus 2025-02-07 N/A 7.2 HIGH
Zoho ManageEngine ADManager Plus before 7181 allows for authenticated users to exploit command injection via Proxy settings.
CVE-2023-29443 1 Zohocorp 4 Manageengine Assetexplorer, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more 2025-02-03 N/A 4.9 MEDIUM
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
CVE-2023-2291 1 Zohocorp 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro 2025-02-03 N/A 7.8 HIGH
Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.
CVE-2023-29442 1 Zohocorp 1 Manageengine Applications Manager 2025-02-03 N/A 6.1 MEDIUM
Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.
CVE-2023-31099 1 Zohocorp 1 Manageengine Opmanager 2025-01-29 N/A 8.8 HIGH
Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.
CVE-2022-29081 1 Zohocorp 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro 2025-01-13 7.5 HIGH 9.8 CRITICAL
Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.
CVE-2022-40300 1 Zohocorp 3 Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro 2025-01-13 N/A 9.8 CRITICAL
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
CVE-2024-5466 1 Zohocorp 4 Manageengine Opmanager, Manageengine Opmanager Msp, Manageengine Opmanager Plus and 1 more 2024-12-19 N/A 8.8 HIGH
Zohocorp ManageEngine OpManager andĀ Remote Monitoring and Management versionsĀ 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.