) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
Search Results (Refine Search)
- Results Type: Overview
- Keyword (text search): manageengine
- Search Type: Search All
| Vuln ID | Summary | CVSS Severity |
|---|---|---|
| CVE-2021-37423 |
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. Published: September 10, 2021; 11:15:12 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-37414 |
Zoho ManageEngine DesktopCentral before 10.0.709 allows anyone to get a valid user's APIKEY without authentication. Published: September 10, 2021; 11:15:10 AM -0400 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
| CVE-2021-40539 |
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. Published: September 07, 2021; 1:15:07 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-37415 |
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. Published: September 01, 2021; 2:15:06 AM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-37421 |
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. Published: August 30, 2021; 3:15:09 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-37417 |
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. Published: August 30, 2021; 3:15:09 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 5.0 MEDIUM |
| CVE-2021-37416 |
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. Published: August 30, 2021; 3:15:08 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-33055 |
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Published: August 30, 2021; 3:15:08 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 10.0 HIGH |
| CVE-2021-40178 |
Zoho ManageEngine Log360 before Build 5224 allows stored XSS via the LOGO_PATH key value in the logon settings. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-40177 |
Zoho ManageEngine Log360 before Build 5225 allows remote code execution via BCP file overwrite. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-40176 |
Zoho ManageEngine Log360 before Build 5225 allows stored XSS. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-40175 |
Zoho ManageEngine Log360 before Build 5219 allows unrestricted file upload with resultant remote code execution. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
| CVE-2021-40174 |
Zoho ManageEngine Log360 before Build 5224 allows a CSRF attack for disabling the logon security settings. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
| CVE-2021-40173 |
Zoho ManageEngine Cloud Security Plus before Build 4117 allows a CSRF attack on the server proxy settings. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
| CVE-2021-40172 |
Zoho ManageEngine Log360 before Build 5219 allows a CSRF attack on proxy settings. Published: August 29, 2021; 4:15:07 PM -0400 |
V3.1: 8.8 HIGH V2.0: 6.8 MEDIUM |
| CVE-2021-33256 |
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. Published: August 09, 2021; 10:15:31 AM -0400 |
V3.1: 8.8 HIGH V2.0: 9.3 HIGH |
| CVE-2021-33617 |
Zoho ManageEngine Password Manager Pro before 11.2 11200 allows login/AjaxResponse.jsp?RequestType=GetUserDomainName&userName= username enumeration, because the response (to a failed login request) is null only when the username is invalid. Published: July 31, 2021; 1:15:07 PM -0400 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
| CVE-2021-36772 |
Zoho ManageEngine ADManager Plus before 7110 allows stored XSS. Published: July 17, 2021; 3:15:07 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-36771 |
Zoho ManageEngine ADManager Plus before 7110 allows reflected XSS. Published: July 17, 2021; 3:15:07 PM -0400 |
V3.1: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
| CVE-2021-33911 |
Zoho ManageEngine ADManager Plus before 7110 allows remote code execution. Published: July 17, 2021; 3:15:07 PM -0400 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |