Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): cpe:2.3:a:zohocorp:manageengine_opmanager:-:*:*:*:*:*:*:*
- CPE Name Search: true
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2018-17283 |
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter. Published: September 20, 2018; 11:29:00 PM -0400 |
V4.0:(not available) V3.0: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2018-17243 |
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. Published: September 20, 2018; 3:29:00 AM -0400 |
V4.0:(not available) V3.0: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2018-12998 |
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Published: June 29, 2018; 8:29:00 AM -0400 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2018-12997 |
Incorrect Access Control in FailOverHelperServlet in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows attackers to read certain files on the web server without login by sending a specially crafted request to the server with the operation=copyfile&fileName= substring. Published: June 29, 2018; 8:29:00 AM -0400 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2015-7766 |
PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO." Published: October 09, 2015; 10:59:08 AM -0400 |
V4.0:(not available) V3.x:(not available) V2.0: 9.0 HIGH |
CVE-2014-6036 |
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter. Published: December 04, 2014; 12:59:04 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2014-6035 |
Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter. Published: December 04, 2014; 12:59:03 PM -0500 |
V4.0:(not available) V3.x:(not available) V2.0: 7.5 HIGH |