Summary
Detail | |||
---|---|---|---|
Vendor | Zohocorp | First view | 2019-08-15 |
Product | Manageengine Opmanager | Last view | 2024-01-08 |
Version | 12.4 | Type | Application |
Update | build124169 | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:zohocorp:manageengine_opmanager |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
8.6 | 2024-01-08 | CVE-2023-47211 | A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability. |
8.8 | 2023-05-04 | CVE-2023-31099 | Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers. |
5.4 | 2023-03-30 | CVE-2022-43473 | A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability. |
8.2 | 2022-07-18 | CVE-2022-35404 | ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine. |
9.8 | 2022-05-05 | CVE-2022-29535 | Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports. |
8.8 | 2022-04-18 | CVE-2022-27908 | Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module. |
9.8 | 2021-10-13 | CVE-2021-41075 | The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API. |
9.8 | 2021-10-13 | CVE-2021-40493 | Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API. |
9.8 | 2021-09-30 | CVE-2021-41288 | Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API. |
9.8 | 2021-04-22 | CVE-2021-3287 | Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class. |
9.1 | 2021-04-01 | CVE-2021-20078 | Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS. |
9.8 | 2021-02-03 | CVE-2020-28653 | Zoho ManageEngine OpManager Stable build before 125203 (and Released build before 125233) allows Remote Code Execution via the Smart Update Manager (SUM) servlet. |
7.5 | 2020-06-04 | CVE-2020-13818 | In Zoho ManageEngine OpManager before 125144, when |
7.5 | 2020-05-07 | CVE-2020-12116 | Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request. |
7.5 | 2020-04-04 | CVE-2020-11527 | In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files. |
9.8 | 2020-03-13 | CVE-2020-10541 | Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108. |
9.8 | 2019-08-15 | CVE-2019-15106 | An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
38% (5) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
30% (4) | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path ... |
7% (1) | CWE-611 | Information Leak Through XML External Entity File Disclosure |
7% (1) | CWE-502 | Deserialization of Untrusted Data |
7% (1) | CWE-306 | Missing Authentication for Critical Function |
7% (1) | CWE-20 | Improper Input Validation |