Zohocorp Manageengine Opmanager vulnerabilities
56 known vulnerabilities affecting zohocorp/manageengine_opmanager.
Total CVEs
56
CISA KEV
0
Public exploits
16
Exploited in wild
4
Severity breakdown
CRITICAL19HIGH23MEDIUM14
Vulnerabilities
Page 3 of 3
CVE-2017-11559P3HIGHCVSS 7.5v12.22019-05-23
CVE-2017-11559 [HIGH] CWE-89 CVE-2017-11559: An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/ad
An issue was discovered in ZOHO ManageEngine OpManager 12.2. The 'apiKey' parameter of "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.
nvd
CVE-2022-35404P3HIGHCVSS 8.2fixed in 12.5v12.52022-07-18
CVE-2022-35404 [HIGH] CWE-20 CVE-2022-35404: ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to u
ManageEngine Password Manager Pro 12100 and prior and OPManager 126100 and prior are vulnerable to unauthorized file and directory creation on a server machine.
nvd
CVE-2019-12133P3HIGHCVSS 7.8v12.32019-06-18
CVE-2019-12133 [HIGH] CWE-427 CVE-2019-12133: Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissio
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged use
nvd
CVE-2022-43473P3MEDIUMCVSS 5.4fixed in 12.6v12.62023-03-30
CVE-2022-43473 [MEDIUM] CWE-611 CVE-2022-43473: A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of Manage
A blind XML External Entity (XXE) vulnerability exists in the Add UCS Device functionality of ManageEngine OpManager 12.6.168. A specially crafted XML file can lead to SSRF. An attacker can serve
a malicious XML payload to trigger this vulnerability.
nvd
CVE-2019-17421P3HIGHCVSS 7.8v12.42019-11-21
CVE-2019-17421 [HIGH] CWE-276 CVE-2019-17421: Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.
Incorrect file permissions on the packaged Nipper executable file in Zoho ManageEngine OpManager 12.4.072 and Firewall Analyzer 12.4.072 allow local users to elevate privileges to root by overwriting this file with a malicious payload.
nvd
CVE-2017-11561P3MEDIUMCVSS 6.5v12.22019-05-23
CVE-2017-11561 [MEDIUM] CWE-434 CVE-2017-11561: An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any fi
An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell.
nvd
CVE-2025-9227P4MEDIUMCVSS 6.5≤ 1286092025-11-11
CVE-2025-9227 [MEDIUM] CWE-79 CVE-2025-9227: Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability
Zohocorp ManageEngine OpManager versions 128609 and below are vulnerable to Stored XSS Vulnerability in the SNMP trap processor.
nvd
CVE-2018-18715P4MEDIUMCVSS 6.1v12.32018-11-20
CVE-2018-18715 [MEDIUM] CWE-79 CVE-2018-18715: Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.
nvd
CVE-2018-19288P4MEDIUMCVSS 6.1v11.4v11.5+1 more2018-11-15
CVE-2018-19288 [MEDIUM] CWE-79 CVE-2018-19288: Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.
nvd
CVE-2023-6105P4MEDIUMCVSS 5.5fixed in 12.5v12.5+2 more2023-11-15
CVE-2023-6105 [MEDIUM] CWE-200 CVE-2023-6105: An information disclosure vulnerability exists in multiple ManageEngine products that can result in
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine pr
nvd
CVE-2018-18716P4MEDIUMCVSS 6.1v11.4v11.5+1 more2018-11-20
CVE-2018-18716 [MEDIUM] CWE-79 CVE-2018-18716: Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.
nvd
CVE-2018-18262P4MEDIUMCVSS 6.1v12.32018-10-17
CVE-2018-18262 [MEDIUM] CWE-79 CVE-2018-18262: Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.
Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.
nvd
CVE-2018-19921P4MEDIUMCVSS 6.1v11.4v11.5+7 more2018-12-06
CVE-2018-19921 [MEDIUM] CWE-79 CVE-2018-19921: Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.
nvd
CVE-2017-11560P4MEDIUMCVSS 5.4v12.22019-05-23
CVE-2017-11560 [MEDIUM] CWE-79 CVE-2017-11560: An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the applicati
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript
nvd
CVE-2018-20339P4MEDIUMCVSS 6.1v12.32018-12-21
CVE-2018-20339 [MEDIUM] CWE-79 CVE-2018-20339: Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms se
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.
nvd
CVE-2025-9226P4MEDIUMCVSS 4.6fixed in 1285822026-01-30
CVE-2025-9226 [MEDIUM] CWE-79 CVE-2025-9226: Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected
Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details.
nvd
← Previous3 / 3