Zohocorp Manageengine Opmanager vulnerabilities
56 known vulnerabilities affecting zohocorp/manageengine_opmanager.
Total CVEs
56
CISA KEV
0
Public exploits
16
Exploited in wild
4
Severity breakdown
CRITICAL19HIGH23MEDIUM14
Vulnerabilities
Page 2 of 3
CVE-2014-7864P2HIGHCVSS 7.5PoCv8.8v9.0+12 more2015-02-04
CVE-2014-7864 [HIGH] CWE-89 CVE-2014-7864: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOH
Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operatio
nvd
CVE-2018-17243P2CRITICALCVSS 9.8fixed in 12.32018-09-20
CVE-2018-17243 [CRITICAL] CWE-89 CVE-2018-17243: Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.
nvd
CVE-2014-6036P3MEDIUMCVSS 6.4PoC≤ 11.32014-12-04
CVE-2014-6036 [MEDIUM] CWE-22 CVE-2014-6036: Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.
Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.
nvd
CVE-2021-40493P2CRITICALCVSS 9.8fixed in 12.5v12.52021-10-13
CVE-2021-40493 [CRITICAL] CWE-89 CVE-2021-40493: Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics
Zoho ManageEngine OpManager before 125437 is vulnerable to SQL Injection in the support diagnostics module. This occurs via the pollingObject parameter of the getDataCollectionFailureReason API.
nvd
CVE-2021-20078P2CRITICALCVSS 9.1fixed in 12.5v12.52021-04-01
CVE-2021-20078 [CRITICAL] CWE-22 CVE-2021-20078: Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerabili
Manage Engine OpManager builds below 125346 are vulnerable to a remote denial of service vulnerability due to a path traversal issue in spark gateway component. This allows a remote attacker to remotely delete any directory or directories on the OS.
nvd
CVE-2018-18475P2CRITICALCVSS 9.8v12.32018-10-23
CVE-2018-18475 [CRITICAL] CWE-434 CVE-2018-18475: Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.
nvd
CVE-2018-20173P2CRITICALCVSS 9.8v12.32018-12-17
CVE-2018-20173 [CRITICAL] CWE-89 CVE-2018-20173: Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.
nvd
CVE-2022-27908P2HIGHCVSS 8.8fixed in 12.5v12.52022-04-18
CVE-2022-27908 [HIGH] CWE-89 CVE-2022-27908: Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Inj
Zoho ManageEngine OpManager before 125588 (and before 125603) is vulnerable to authenticated SQL Injection in the Inventory Reports module.
nvd
CVE-2018-18949P2CRITICALCVSS 9.8v11.4v11.5+1 more2018-11-05
CVE-2018-18949 [CRITICAL] CWE-89 CVE-2018-18949: Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.
nvd
CVE-2020-11946P2HIGHCVSS 7.5v12.52020-04-20
CVE-2020-11946 [HIGH] CWE-306 CVE-2020-11946: Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via
Zoho ManageEngine OpManager before 125120 allows an unauthenticated user to retrieve an API key via a servlet call.
nvd
CVE-2024-5466P2HIGHCVSS 8.8≤ 12.7v12.82024-08-23
CVE-2024-5466 [HIGH] CWE-94 CVE-2024-5466: Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are v
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option.
nvd
CVE-2020-10541P2CRITICALCVSS 9.8fixed in 12.4.1792020-03-13
CVE-2020-10541 [CRITICAL] CVE-2020-10541: Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mai
Zoho ManageEngine OpManager before 12.4.179 allows remote code execution via a specially crafted Mail Server Settings v1 API request. This was fixed in 12.5.108.
nvd
CVE-2018-20338P2CRITICALCVSS 9.8v12.32018-12-21
CVE-2018-20338 [CRITICAL] CWE-89 CVE-2018-20338: Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.
nvd
CVE-2021-44514P2CRITICALCVSS 9.8v12.52021-12-09
CVE-2021-44514 [CRITICAL] CWE-287 CVE-2021-44514: OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit
OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles authentication for a few audit directories.
nvd
CVE-2020-13818P3HIGHCVSS 7.5fixed in 12.5v12.52020-06-04
CVE-2020-13818 [HIGH] CWE-22 CVE-2020-13818: In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validat
In Zoho ManageEngine OpManager before 125144, when is used, directory traversal validation can be bypassed.
nvd
CVE-2018-18980P3HIGHCVSS 7.5fixed in 12.3.2142018-11-06
CVE-2018-18980 [HIGH] CWE-611 CVE-2018-18980: An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configurati
An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.
nvd
CVE-2014-7867P3HIGHCVSS 7.5v11.3v11.42014-12-04
CVE-2014-7867 [HIGH] CWE-89 CVE-2014-7867: SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servl
SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.
nvd
CVE-2020-11527P3HIGHCVSS 7.5fixed in 12.4v12.42020-04-04
CVE-2020-11527 [HIGH] CVE-2020-11527: In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specia
In Zoho ManageEngine OpManager before 12.4.181, an unauthenticated remote attacker can send a specially crafted URI to read arbitrary files.
nvd
CVE-2021-41075P3CRITICALCVSS 9.8fixed in 12.5v12.52021-10-13
CVE-2021-41075 [CRITICAL] CWE-89 CVE-2021-41075: The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in t
The NetFlow Analyzer in Zoho ManageEngine OpManger before 125455 is vulnerable to SQL Injection in the Attacks Module API.
nvd
CVE-2015-9107P3CRITICALCVSS 9.8v11.0v11.1+6 more2017-08-04
CVE-2015-9107 [CRITICAL] CWE-310 CVE-2015-9107: Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the creden
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
nvd