Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_desktop_central
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 49 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-11-03 | CVE-2023-4767 | A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | Manageengine_desktop_central | 6.1 | ||
| 2023-11-03 | CVE-2023-4768 | A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf. | Manageengine_desktop_central | 6.1 | ||
| 2023-11-03 | CVE-2023-4769 | A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests. | Manageengine_desktop_central | 8.8 | ||
| 2023-01-18 | CVE-2022-47966 | Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081,... | Application_control_plus, Manageengine_access_manager_plus, Manageengine_ad360, Manageengine_adaudit_plus, Manageengine_admanager_plus, Manageengine_adselfservice_plus, Manageengine_analytics_plus, Manageengine_assetexplorer, Manageengine_browser_security_plus, Manageengine_desktop_central, Manageengine_device_control_plus, Manageengine_endpoint_dlp_plus, Manageengine_key_manager_plus, Manageengine_os_deployer, Manageengine_pam360, Manageengine_password_manager_pro, Manageengine_patch_manager_plus, Manageengine_remote_access_plus, Manageengine_rmm_central, Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_supportcenter_plus, Manageengine_vulnerability_manager_plus | 9.8 | ||
| 2022-01-28 | CVE-2022-23863 | Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. | Manageengine_desktop_central | 6.5 | ||
| 2023-02-25 | CVE-2022-48362 | Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | Manageengine_desktop_central | 8.8 | ||
| 2020-03-23 | CVE-2019-15510 | ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | Manageengine_desktop_central | 6.1 | ||
| 2020-03-06 | CVE-2020-10189 | Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | Manageengine_desktop_central | 9.8 | ||
| 2021-12-12 | CVE-2021-44515 | Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. | Manageengine_desktop_central | 9.8 | ||
| 2022-01-18 | CVE-2021-44757 | Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. | Manageengine_desktop_central, Manageengine_desktop_central_managed_service_providers | 9.1 |