Zohocorp Manageengine Applications Manager vulnerabilities

CVE-2020-15927 [HIGH] CWE-89 CVE-2020-15927: Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

CVE-2020-15533 [CRITICAL] CWE-89 CVE-2020-15533: In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750 In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

CVE-2020-15394 [CRITICAL] CWE-89 CVE-2020-15394: The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.

CVE-2020-15521 [MEDIUM] CWE-79 CVE-2020-15521: Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.js Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .

CVE-2020-14008 [HIGH] CWE-434 CVE-2020-14008: Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific location, which leads to remote code execution.

CVE-2019-19799 [MEDIUM] CWE-306 CVE-2019-19799: Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disc Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via WieldFeedServlet servlet.

CVE-2014-7863 [HIGH] CWE-200 CVE-2014-7863: The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operat

CVE-2019-19800 [MEDIUM] CWE-306 CVE-2019-19800: Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to d Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via FailOverHelperServlet.

CVE-2019-19475 [HIGH] CWE-276 CVE-2019-19475: An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated Postgre An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrar

CVE-2019-19649 [CRITICAL] CWE-89 CVE-2019-19649: Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection vi Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.

CVE-2019-19650 [HIGH] CWE-89 CVE-2019-19650: Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.

CVE-2019-15105 [HIGH] CWE-89 CVE-2019-15105: An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Inject An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" featur

CVE-2019-15104 [HIGH] CWE-89 CVE-2019-15104: An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulne An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.

CVE-2017-11740 [HIGH] CWE-20 CVE-2017-11740: In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability t In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.

CVE-2017-11738 [HIGH] CWE-89 CVE-2017-11738: In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/au In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.

CVE-2017-11557 [MEDIUM] CWE-200 CVE-2017-11557: An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauth An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.

CVE-2017-11739 [MEDIUM] CWE-79 CVE-2017-11739: In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrativ In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this fun

CVE-2019-11469 [CRITICAL] CWE-89 CVE-2019-11469: Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

CVE-2019-11448 [CRITICAL] CWE-89 CVE-2019-11448: An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthentica An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

CVE-2018-16364 [HIGH] CWE-502 CVE-2018-16364: A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows fo A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.