Zohocorp Manageengine Applications Manager vulnerabilities
57 known vulnerabilities affecting zohocorp/manageengine_applications_manager.
Total CVEs
57
CISA KEV
0
Public exploits
9
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH19MEDIUM19
Vulnerabilities
Page 2 of 3
CVE-2017-16848P2CRITICALCVSS 9.8v13.02017-11-16
CVE-2017-16848 [CRITICAL] CWE-89 CVE-2017-16848: Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname
Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
nvd
CVE-2025-9223P2HIGHCVSS 8.8fixed in 1782002025-11-11
CVE-2025-9223 [HIGH] CWE-77 CVE-2025-9223: Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated
Zohocorp ManageEngine Applications Manager versions 178100 and below are vulnerable to authenticated command injection vulnerability due to the improper configuration in the execute program action feature.
nvd
CVE-2019-19649P2CRITICALCVSS 9.8fixed in 13.72019-12-11
CVE-2019-19649 [CRITICAL] CWE-89 CVE-2019-19649: Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection vi
Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid parameter to the SyncEventServlet.java doGet function.
nvd
CVE-2018-11808P2CRITICALCVSS 9.1v132018-06-06
CVE-2018-11808 [CRITICAL] CWE-20 CVE-2018-11808: Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Versio
Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an attacker to delete any file and read certain files on the server in the context of the user (which by default is "NT AUTHORITY / SYSTEM") by sending a specially crafted request to the server.
nvd
CVE-2020-27995P2CRITICALCVSS 9.8v14.02020-10-29
CVE-2020-27995 [CRITICAL] CWE-89 CVE-2020-27995: SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execut
SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the MyPage.do template_resid parameter.
nvd
CVE-2018-15168P2CRITICALCVSS 9.8fixed in 13.138202018-08-08
CVE-2018-15168 [CRITICAL] CWE-89 CVE-2018-15168: A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 1
A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a /editDisplaynames.do?method=editDisplaynames GET request.
nvd
CVE-2020-15533P2CRITICALCVSS 9.8fixed in 14.6v14.6+1 more2020-10-01
CVE-2020-15533 [CRITICAL] CWE-89 CVE-2020-15533: In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750
In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.
nvd
CVE-2020-27733P2HIGHCVSS 8.8v14.02021-01-19
CVE-2020-27733 [HIGH] CWE-89 CVE-2020-27733: Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection v
Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
nvd
CVE-2023-28341P3MEDIUMCVSS 6.1≥ 16.0, < 16.3v15.9+1 more2023-04-11
CVE-2023-28341 [MEDIUM] CWE-79 CVE-2023-28341: Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16
Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.
nvd
CVE-2018-16364P3HIGHCVSS 8.1v13.72018-09-26
CVE-2018-16364 [HIGH] CWE-502 CVE-2018-16364: A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows fo
A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via a payload on an SMB share.
nvd
CVE-2019-19475P3HIGHCVSS 8.8v14.32020-01-10
CVE-2019-19475 [HIGH] CWE-276 CVE-2019-19475: An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated Postgre
An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications Manager is prone to attack due to lack of file permission security. The malicious users who are in “Authenticated Users” group can exploit privilege escalation and modify PostgreSQL configuration to execute arbitrar
nvd
CVE-2019-19650P3HIGHCVSS 8.8fixed in 13.72019-12-11
CVE-2019-19650 [HIGH] CWE-89 CVE-2019-19650: Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via
Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to the Agent.java process function.
nvd
CVE-2021-31813P3MEDIUMCVSS 5.4fixed in 15.1v15.12021-07-01
CVE-2021-31813 [MEDIUM] CWE-79 CVE-2021-31813: Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing mali
Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted user name) from AD.
nvd
CVE-2020-28679P3HIGHCVSS 8.8v11.0v11.1+33 more2022-01-10
CVE-2020-28679 [HIGH] CWE-89 CVE-2020-28679: A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 145
A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.
nvd
CVE-2020-24743P3CRITICALCVSS 9.8fixed in 14.5v14.52021-11-03
CVE-2020-24743 [CRITICAL] CVE-2020-24743: An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows att
An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via the resourceid parameter.
nvd
CVE-2017-11740P3HIGHCVSS 8.8v13.12019-05-23
CVE-2017-11740 [HIGH] CWE-20 CVE-2017-11740: In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability t
In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be executed upon the occurrence of an alarm. An attacker can abuse this functionality by uploading a malicious script that can be executed on the remote system.
nvd
CVE-2020-10816P3HIGHCVSS 7.5v14.72020-10-08
CVE-2020-10816 [HIGH] CWE-287 CVE-2020-10816: Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to
Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via AAMRequestProcessor servlet.
nvd
CVE-2017-11738P3HIGHCVSS 8.1v13.12019-05-23
CVE-2017-11738 [HIGH] CWE-89 CVE-2017-11738: In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/au
In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.
nvd
CVE-2016-9489P3HIGHCVSS 8.8v12.0v13.02018-07-13
CVE-2016-9489 [HIGH] CWE-269 CVE-2016-9489: In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
nvd
CVE-2022-23050P3HIGHCVSS 7.2≥ 15.0, < 15.5v15.52022-05-24
CVE-2022-23050 [HIGH] CWE-427 CVE-2022-23050: ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file t
ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside the 'working' folder through the 'Upload Files / Binaries' functionality.
nvd