Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_desktop_central
(Zohocorp)Repositories |
Unknown: This might be proprietary software. |
#Vulnerabilities | 48 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2023-11-03 | CVE-2023-4767 | A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | Manageengine_desktop_central | 6.1 | ||
2023-11-03 | CVE-2023-4768 | A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.pdf. | Manageengine_desktop_central | 6.1 | ||
2023-11-03 | CVE-2023-4769 | A SSRF vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0, specifically the /smtpConfig.do component. This vulnerability could allow an authenticated attacker to launch targeted attacks, such as a cross-port attack, service enumeration and other attacks via HTTP requests. | Manageengine_desktop_central | 8.8 | ||
2022-01-28 | CVE-2022-23863 | Zoho ManageEngine Desktop Central before 10.1.2137.10 allows an authenticated user to change any user's login password. | Manageengine_desktop_central | 6.5 | ||
2023-02-25 | CVE-2022-48362 | Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) | Manageengine_desktop_central | 8.8 | ||
2020-03-23 | CVE-2019-15510 | ManageEngine_DesktopCentral.exe in Zoho ManageEngine Desktop Central 10 allows HTML injection on the user administration page via the description of a role. | Manageengine_desktop_central | 6.1 | ||
2020-03-06 | CVE-2020-10189 | Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets. | Manageengine_desktop_central | 9.8 | ||
2021-12-12 | CVE-2021-44515 | Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For MSP builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. | Manageengine_desktop_central | 9.8 | ||
2022-01-18 | CVE-2021-44757 | Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server. | Manageengine_desktop_central, Manageengine_desktop_central_managed_service_providers | 9.1 | ||
2020-07-29 | CVE-2020-15588 | An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted communication is initiated with server. In cloud, Agent will always connect with trusted communication. | Manageengine_desktop_central | 9.8 |