U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:zohocorp:manageengine_opmanager:12.5:-:*:*:*:*:*:*
  • CPE Name Search: true
There are 11 matching records.
Displaying matches 1 through 11.
Vuln ID Summary CVSS Severity

Zoho ManageEngine OPManager through 126323 allows an authenticated user to achieve remote code execution via probe servers.

Published: May 03, 2023; 10:15:19 PM -0400
V3.1: 8.8 HIGH
V2.0:(not available)

A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.

Published: March 30, 2023; 1:15:06 PM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)

ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.

Published: July 18, 2022; 9:15:10 AM -0400
V3.1: 8.2 HIGH
V2.0:(not available)

Zoho ManageEngine OPManager through 125588 allows SQL Injection via a few default reports.

Published: May 05, 2022; 7:15:09 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.

Published: April 18, 2022; 9:15:08 AM -0400
V3.1: 8.8 HIGH
V2.0: 6.5 MEDIUM

OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.

Published: December 09, 2021; 3:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.

Published: October 13, 2021; 7:15:07 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.

Published: October 13, 2021; 7:15:07 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Zoho ManageEngine OpManager version 125466 and below is vulnerable to SQL Injection in the getReportData API.

Published: September 30, 2021; 3:15:07 PM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

Zoho ManageEngine OpManager before 12.5.329 allows unauthenticated Remote Code Execution due to a general bypass in the deserialization class.

Published: April 22, 2021; 9:15:07 AM -0400
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH

In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.

Published: June 04, 2020; 9:15:11 AM -0400
V3.1: 7.5 HIGH
V2.0: 5.0 MEDIUM