Zoho ManageEngine 漏洞列表

ZOHO ManageEngine analytics plus panel was detected. FOFA: app="ZOHO-流量管理"

Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.

Zoho ManageEngine OpManager Stable build before 124196 and Released build before 125125 allows an unauthenticated attacker to read arbitrary files on the server by sending a specially crafted request.

Zoho ManageEngine ADSelfService Plus 6103 and prior contains a reflected cross-site scripting vulnerability on the loadframe page.

Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution.

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.

Zoho ManageEngine Desktop Central contains an authentication bypass vulnerability that could allow an attacker to execute arbitrary code in the Desktop Central MSP server.

Zoho ManageEngine Desktop Central before 10.1.2137.8 exposes the installed server name to anyone. The internal hostname can be discovered by reading HTTP redirect responses.

Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an unauthenticated XML entity injection attack that can lead to remote code execution.

Zoho ManageEngine Password Manager Pro, PAM 360, and Access Manager Plus are susceptible to unauthenticated remote code execution via XML-RPC. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.