Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_opmanager
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 56 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-05-23 | CVE-2017-11559 | An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack. | Manageengine_opmanager | 7.5 | ||
| 2018-11-06 | CVE-2018-18980 | An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server. | Manageengine_network_configuration_manager, Manageengine_opmanager | 7.5 | ||
| 2018-09-21 | CVE-2018-17283 | Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. | Manageengine_opmanager | 7.5 | ||
| 2018-09-20 | CVE-2018-17243 | Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. | Manageengine_opmanager | 9.8 | ||
| 2017-08-03 | CVE-2015-9107 | Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor. | Manageengine_opmanager | 9.8 | ||
| 2015-10-09 | CVE-2015-7766 | PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO." | Manageengine_opmanager | N/A | ||
| 2015-10-09 | CVE-2015-7765 | ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password. | Manageengine_opmanager | N/A | ||
| 2015-02-04 | CVE-2014-7864 | Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | Manageengine_opmanager | N/A | ||
| 2014-12-04 | CVE-2014-6035 | Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter. | Manageengine_opmanager | N/A | ||
| 2014-12-04 | CVE-2014-6034 | Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID parameter. | Manageengine_it360, Manageengine_opmanager, Manageengine_social_it_plus | N/A |