Manageengine Opmanager vulnerabilities

7 known vulnerabilities affecting manageengine/opmanager.

Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-41437MEDIUMCVSS 4.3fixed in 1285662025-06-09
CVE-2025-41437 [MEDIUM] CWE-79 CVE-2025-41437: Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.
cvelistv5nvd
CVE-2024-6748HIGHCVSS 8.3≤ 1283172024-07-29
CVE-2024-6748 [HIGH] CWE-89 CVE-2024-6748: Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP and RMM versions 128317 and below are vulnerable to authenticated SQL injection in the URL monitoring.
cvelistv5nvd
CVE-2024-36038MEDIUMCVSS 6.3≥ 128234, < 1282482024-06-24
CVE-2024-36038 [MEDIUM] CWE-79 CVE-2024-36038: Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site Zoho ManageEngine ITOM products versions from 128234 to 128248 are affected by the stored cross-site scripting vulnerability in the proxy server option.
cvelistv5nvd
CVE-2023-47211HIGHCVSS 8.6PoCv12.7.2582024-01-08
CVE-2023-47211 [CRITICAL] CWE-22 CVE-2023-47211: A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager A directory traversal vulnerability exists in the uploadMib functionality of ManageEngine OpManager 12.7.258. A specially crafted HTTP request can lead to arbitrary file creation. An attacker can send a malicious MiB file to trigger this vulnerability.
cvelistv5nvd
CVE-2022-43473MEDIUMCVSS 5.4v 12.6.1682023-03-30
CVE-2022-43473 [MEDIUM] CWE-611 CVE-2022-43473: A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of Manage A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve a malicious XML payload to trigger this vulnerability.
cvelistv5nvd
CVE-2020-19554MEDIUMCVSS 6.1≤ 12.5.1742021-09-21
CVE-2020-19554 [MEDIUM] CWE-79 CVE-2020-19554: Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API ke Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.
nvd
CVE-2007-5891MEDIUMCVSS 4.3v7.02007-11-08
CVE-2007-5891 [MEDIUM] CWE-79 CVE-2007-5891: Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Ed Multiple cross-site scripting (XSS) vulnerabilities in jsp/Login.do in ManageEngine OpManager MSP Edition and OpManager 7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) requestid, (2) fileid, (3) woMode, and (2) woID parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third
nvd