cbcvebase.

Zohocorp Manageengine Desktop Central vulnerabilities

47 known vulnerabilities affecting zohocorp/manageengine_desktop_central.

Total CVEs
47
CISA KEV
2
actively exploited
Public exploits
10
Exploited in wild
2
Severity breakdown
CRITICAL18HIGH18MEDIUM11

Vulnerabilities

Page 1 of 3
CVE-2021-44515P1CRITICALCVSS 9.8KEVPoCfixed in 10.1.2127.18≥ 10.1.2128.0, < 10.1.2137.32021-12-12
CVE-2021-44515 [CRITICAL] CVE-2021-44515: Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code exe Zoho ManageEngine Desktop Central is vulnerable to authentication bypass, leading to remote code execution on the server, as exploited in the wild in December 2021. For Enterprise builds 10.1.2127.17 and earlier, upgrade to 10.1.2127.18. For Enterprise builds 10.1.2128.0 through 10.1.2137.2, upgrade to 10.1.2137.3. For MSP builds 10.1.2127.17 and earlier,
nvd
CVE-2020-10189P1CRITICALCVSS 9.8KEVPoCfixed in 10.0.4792020-03-06
CVE-2020-10189 [CRITICAL] CWE-502 CVE-2020-10189: Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserializ Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
nvd
CVE-2013-7390P1CRITICALCVSS 9.8PoC≥ 7.0.0, ≤ 8.0.02020-01-27
CVE-2013-7390 [CRITICAL] CWE-434 CVE-2013-7390: Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x a Unrestricted file upload vulnerability in AgentLogUploadServlet in ManageEngine DesktopCentral 7.x and 8.0.0 before build 80293 allows remote attackers to execute arbitrary code by uploading a file with a jsp extension, then accessing it via a direct request to the file in the webroot.
nvd
CVE-2017-11346P2CRITICALCVSS 9.8PoC≤ 10.02017-07-17
CVE-2017-11346 [CRITICAL] CWE-20 CVE-2017-11346: Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary c Zoho ManageEngine Desktop Central before build 100092 allows remote attackers to execute arbitrary code via vectors involving the upload of help desk videos.
nvd
CVE-2014-5005P2HIGHCVSS 7.5PoC≤ 9.02014-10-21
CVE-2014-5005 [HIGH] CWE-22 CVE-2014-5005: Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 all Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
nvd
CVE-2014-5007P2CRITICALCVSS 9.8PoC≥ 7.0, ≤ 9.02020-01-17
CVE-2014-5007 [CRITICAL] CWE-22 CVE-2014-5007: Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Centr Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter.
nvd
CVE-2014-5006P2HIGHCVSS 7.5PoC≤ 9.02014-10-21
CVE-2014-5006 [HIGH] CWE-22 CVE-2014-5006: Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 all Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.
nvd
CVE-2018-16833P3MEDIUMCVSS 6.1PoCv10.0.2712018-09-21
CVE-2018-16833 [MEDIUM] CWE-79 CVE-2018-16833: Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
nvd
CVE-2021-44757P2CRITICALCVSS 9.1fixed in 10.1.2137.92022-01-18
CVE-2021-44757 [CRITICAL] CVE-2021-44757: Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allo Zoho ManageEngine Desktop Central before 10.1.2137.9 and Desktop Central MSP before 10.1.2137.9 allow attackers to bypass authentication, and read sensitive information or upload an arbitrary ZIP archive to the server.
nvd
CVE-2015-2560P2CRITICALCVSS 9.8v9.02017-08-02
CVE-2015-2560 [CRITICAL] CWE-264 CVE-2015-2560: Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of us Manage Engine Desktop Central 9 before build 90135 allows remote attackers to change passwords of users with the Administrator role via an addOrModifyUser operation to servlets/DCOperationsServlet.
nvd
CVE-2022-23779P3MEDIUMCVSS 5.3PoCfixed in 10.1.2137.82022-03-02
CVE-2022-23779 [MEDIUM] CWE-200 CVE-2022-23779: Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. Th Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.
nvd
CVE-2020-15588P2CRITICALCVSS 9.8fixed in 10.0.5612020-07-29
CVE-2020-15588 [CRITICAL] CWE-190 CVE-2020-15588: An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attac An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.552.W. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. This issue will occur only when untrusted co
nvd
CVE-2018-11716P2CRITICALCVSS 9.8fixed in 1002302018-07-16
CVE-2018-11716 [CRITICAL] CWE-532 CVE-2018-11716: An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated An issue was discovered in Zoho ManageEngine Desktop Central before 100230. There is unauthenticated remote access to all log files of a Desktop Central instance containing critical information (private information such as location of enrolled devices, cleartext passwords, patching level, etc.) via a GET request on port 8022, 8443, or 8444.
nvd
CVE-2014-9371P2CRITICALCVSS 10.0≤ 9.02014-12-16
CVE-2014-9371 [CRITICAL] CWE-20 CVE-2014-9371: The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to exe The NativeAppServlet in ManageEngine Desktop Central MSP before 90075 allows remote attackers to execute arbitrary code via a crafted JSON object.
nvd
CVE-2020-8540P2CRITICALCVSS 9.8fixed in 2020-03-072020-03-11
CVE-2020-8540 [CRITICAL] CWE-611 CVE-2020-8540: An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-20 An XML external entity (XXE) vulnerability in Zoho ManageEngine Desktop Central before the 07-Mar-2020 update allows remote unauthenticated users to read arbitrary files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
nvd
CVE-2021-46164P2HIGHCVSS 8.8fixed in 10.0.6622022-01-10
CVE-2021-46164 [HIGH] CVE-2021-46164: Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated u Zoho ManageEngine Desktop Central before 10.0.662 allows remote code execution by an authenticated user who has complete access to the Reports module.
nvd
CVE-2020-28050P2CRITICALCVSS 9.1fixed in 10.0.6472021-03-05
CVE-2020-28050 [CRITICAL] CWE-287 CVE-2020-28050: Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from m Zoho ManageEngine Desktop Central before build 10.0.647 allows a single authentication secret from multiple agents to communicate with the server.
nvd
CVE-2022-48362P2HIGHCVSS 8.8fixed in 10.1.2137.22023-02-25
CVE-2022-48362 [HIGH] CVE-2022-48362: Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory travers Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.)
nvd
CVE-2020-24397P3HIGHCVSS 7.2v10.0.02020-10-02
CVE-2020-24397 [HIGH] CWE-190 CVE-2020-24397: An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An at An issue was discovered in the client side of Zoho ManageEngine Desktop Central 10.0.0.SP-534. An attacker-controlled server can trigger an integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate that leads to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges.
nvd
CVE-2018-11717P3CRITICALCVSS 9.8fixed in 1002512018-07-16
CVE-2018-11717 [CRITICAL] CWE-532 CVE-2018-11717: An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to An issue was discovered in Zoho ManageEngine Desktop Central before 100251. By leveraging access to a log file, a context-dependent attacker can obtain (depending on the modules configured) the Base64 encoded Password/Username of AD accounts, the cleartext Password/Username and mail settings of the EAS account (an AD account used to send mail), the
nvd
Zohocorp Manageengine Desktop Central vulnerabilities | cvebase