Zohocorp Manageengine Opmanager vulnerabilities

CVE-2018-18980 [HIGH] CWE-611 CVE-2018-18980: An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configurati An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.

CVE-2018-18949 [CRITICAL] CWE-89 CVE-2018-18949: Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings. Zoho ManageEngine OpManager 12.3 before 123222 has SQL Injection via Mail Server settings.

CVE-2018-18475 [CRITICAL] CWE-434 CVE-2018-18475: Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload. Zoho ManageEngine OpManager before 12.3 build 123214 allows Unrestricted Arbitrary File Upload.

CVE-2018-18262 [MEDIUM] CWE-79 CVE-2018-18262: Zoho ManageEngine OpManager 12.3 before build 123214 has XSS. Zoho ManageEngine OpManager 12.3 before build 123214 has XSS.

CVE-2018-17283 [HIGH] CWE-89 CVE-2018-17283: Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsSer Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name pa

CVE-2018-17243 [CRITICAL] CWE-89 CVE-2018-17243: Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection. Global Search in Zoho ManageEngine OpManager before 12.3 123205 allows SQL Injection.

CVE-2015-9107 [CRITICAL] CWE-310 CVE-2015-9107: Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the creden Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.

CVE-2015-7765 [CRITICAL] CVE-2015-7765: ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for t ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of "plugin" for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.

CVE-2015-7766 [CRITICAL] CWE-264 CVE-2015-7766: PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administra PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

CVE-2014-7864 [HIGH] CWE-89 CVE-2014-7864: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOH Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operatio

CVE-2014-7866 [HIGH] CWE-22 CVE-2014-7866: Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 1 Multiple directory traversal vulnerabilities in ZOHO ManageEngine OpManager 8 (build 88xx) through 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to write and execute arbitrary files via a .. (dot dot) in the (1) fileName parameter to the MigrateLEEData servlet or (2) zipFileName parameter in a dow

CVE-2014-7867 [HIGH] CWE-89 CVE-2014-7867: SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servl SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.

CVE-2014-7868 [HIGH] CWE-89 CVE-2014-7868: Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the Data

CVE-2014-6035 [HIGH] CWE-22 CVE-2014-6035: Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, Directory traversal vulnerability in the FileCollector servlet in ZOHO ManageEngine OpManager 11.4, 11.3, and earlier allows remote attackers to write and execute arbitrary files via a .. (dot dot) in the FILENAME parameter.

CVE-2014-6034 [MEDIUM] CWE-22 CVE-2014-6034: Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCo Directory traversal vulnerability in the com.me.opmanager.extranet.remote.communication.fw.fe.FileCollector servlet in ZOHO ManageEngine OpManager 8.8 through 11.3, Social IT Plus 11.0, and IT360 10.4 and earlier allows remote attackers or remote authenticated users to write to and execute arbitrary WAR files via a .. (dot dot) in the regionID paramete

CVE-2014-6036 [MEDIUM] CWE-22 CVE-2014-6036: Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11. Directory traversal vulnerability in the multipartRequest servlet in ZOHO ManageEngine OpManager 11.3 and earlier, Social IT Plus 11.0, and IT360 10.3, 10.4, and earlier allows remote attackers or remote authenticated users to delete arbitrary files via a .. (dot dot) in the fileName parameter.