Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_applications_manager
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 52 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-05-23 | CVE-2017-11738 | In Zoho ManageEngine Application Manager 13.1 Build 13100, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack. | Manageengine_applications_manager | 8.1 | ||
| 2019-05-23 | CVE-2017-11557 | An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request. | Manageengine_applications_manager | 5.3 | ||
| 2019-05-23 | CVE-2017-11740 | In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system. | Manageengine_applications_manager | 8.8 | ||
| 2019-04-22 | CVE-2019-11448 | An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. | Manageengine_applications_manager | 9.8 | ||
| 2019-04-23 | CVE-2019-11469 | Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. | Manageengine_applications_manager | 9.8 | ||
| 2018-03-08 | CVE-2018-7890 | A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection. | Manageengine_applications_manager | 9.8 | ||
| 2018-09-26 | CVE-2018-16364 | A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share. | Manageengine_applications_manager | 8.1 | ||
| 2018-08-07 | CVE-2018-15169 | A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote attackers to inject arbitrary web script or HTML via the /deleteMO.do method parameter. | Manageengine_applications_manager | 6.1 | ||
| 2018-08-07 | CVE-2018-15168 | A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request. | Manageengine_applications_manager | 9.8 | ||
| 2018-07-02 | CVE-2018-13050 | A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a /j_security_check POST request. | Manageengine_applications_manager | 9.8 |