Zohocorp Manageengine Applications Manager vulnerabilities

CVE-2025-9787 [MEDIUM] CWE-79 CVE-2025-9787: Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross- Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC view.

CVE-2025-9223 [HIGH] CWE-77 CVE-2025-9223: Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.

CVE-2025-6239 [MEDIUM] CWE-200 CVE-2025-6239: Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information d Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.

CVE-2025-27930 [MEDIUM] CWE-79 CVE-2025-27930: Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross- Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.

CVE-2024-41140 [HIGH] CWE-863 CVE-2024-41140: Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.

CVE-2024-5678 [MEDIUM] CWE-89 CVE-2024-5678: Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authentic Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the Create Monitor feature.

CVE-2023-38333 [MEDIUM] CWE-79 CVE-2023-38333: Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in. Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.

CVE-2023-29442 [MEDIUM] CWE-79 CVE-2023-29442: Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS. Zoho ManageEngine Applications Manager before 16400 allows proxy.html DOM XSS.

CVE-2023-28340 [MEDIUM] CWE-611 CVE-2023-28340: Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack. Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.

CVE-2023-28341 [MEDIUM] CWE-79 CVE-2023-28341: Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16 Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

CVE-2022-23050 [HIGH] CWE-427 CVE-2022-23050: ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file t ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.

CVE-2020-28679 [HIGH] CWE-89 CVE-2020-28679: A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 145 A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

CVE-2020-24743 [CRITICAL] CVE-2020-24743: An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows att An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.

CVE-2021-35512 [MEDIUM] CWE-918 CVE-2021-35512: An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200. An SSRF issue was discovered in Zoho ManageEngine Applications Manager build 15200.

CVE-2021-31813 [MEDIUM] CWE-79 CVE-2021-31813: Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing mali Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.

CVE-2020-35765 [HIGH] CWE-89 CVE-2020-35765: doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager t doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated SQL Injection via the resourceid parameter to showresource.do.

CVE-2020-27733 [HIGH] CWE-89 CVE-2020-27733: Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection v Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVE-2020-27995 [CRITICAL] CWE-89 CVE-2020-27995: SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execut SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.

CVE-2020-10816 [HIGH] CWE-287 CVE-2020-10816: Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.

CVE-2020-16267 [HIGH] CWE-89 CVE-2020-16267: Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA module.