This CPE summary could be partial or incomplete. Please contact us for a detailed listing.

Summary

Detail
Vendor Zohocorp First view 2019-08-15
Product Manageengine Applications Manager Last view 2024-08-01
Version 14.1 Type Application
Update build14180  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
 
CPE Product cpe:2.3:a:zohocorp:manageengine_applications_manager

Activity : Overall

Related : CVE

  Date Alert Description
4.7 2024-08-01 CVE-2024-5678

Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.

6.1 2023-08-10 CVE-2023-38333

Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

6.1 2023-04-26 CVE-2023-29442

Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

6.1 2023-04-11 CVE-2023-28341

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

6.5 2023-04-11 CVE-2023-28340

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

7.2 2022-05-24 CVE-2022-23050

ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

8.8 2022-01-10 CVE-2020-28679

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

9.8 2021-11-03 CVE-2020-24743

An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

5.4 2021-07-01 CVE-2021-31813

Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

8.8 2021-02-05 CVE-2020-35765

doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

9.8 2020-10-01 CVE-2020-15533

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

5.3 2020-03-13 CVE-2019-19799

Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.

8.8 2019-08-15 CVE-2019-15105

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CWE : Common Weakness Enumeration

%idName
41% (5) CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('...
33% (4) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
8% (1) CWE-611 Information Leak Through XML External Entity File Disclosure
8% (1) CWE-427 Uncontrolled Search Path Element
8% (1) CWE-306 Missing Authentication for Critical Function