Summary
Detail | |||
---|---|---|---|
Vendor | Zohocorp | First view | 2019-04-22 |
Product | Manageengine Applications Manager | Last view | 2023-08-10 |
Version | 14.0 | Type | Application |
Update | build14520 | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:zohocorp:manageengine_applications_manager |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
6.1 | 2023-08-10 | CVE-2023-38333 | Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. |
6.1 | 2023-04-26 | CVE-2023-29442 | Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. |
6.1 | 2023-04-11 | CVE-2023-28341 | Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page. |
6.5 | 2023-04-11 | CVE-2023-28340 | Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. |
7.2 | 2022-05-24 | CVE-2022-23050 | ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality. |
9.8 | 2021-11-03 | CVE-2020-24743 | An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter. |
5.4 | 2021-07-01 | CVE-2021-31813 | Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD. |
8.8 | 2021-02-05 | CVE-2020-35765 | doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do. |
8.8 | 2021-01-19 | CVE-2020-27733 | Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request. |
9.8 | 2020-10-29 | CVE-2020-27995 | SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter. |
9.8 | 2020-10-01 | CVE-2020-15533 | In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack. |
6.1 | 2020-09-25 | CVE-2020-15521 | Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) . |
9.8 | 2020-09-25 | CVE-2020-15394 | The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution. |
7.2 | 2020-09-04 | CVE-2020-14008 | Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution. |
5.3 | 2020-03-13 | CVE-2019-19799 | Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet. |
8.8 | 2019-08-15 | CVE-2019-15105 | An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. |
8.8 | 2019-08-15 | CVE-2019-15104 | An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. |
9.8 | 2019-04-23 | CVE-2019-11469 | Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature. |
9.8 | 2019-04-22 | CVE-2019-11448 | An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
50% (9) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
27% (5) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
5% (1) | CWE-611 | Information Leak Through XML External Entity File Disclosure |
5% (1) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
5% (1) | CWE-427 | Uncontrolled Search Path Element |
5% (1) | CWE-306 | Missing Authentication for Critical Function |