The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-38743 | Zoho ManageEngine ADManager Plus before Build 7200 allows admin users to execute commands on the host machine. | -- | Sep 12, 2023 |
| CVE-2022-42904 | Zoho ManageEngine ADManager Plus through 7151 allows authenticated admin users to execute the commands in proxy settings. | -- | Nov 18, 2022 |
| CVE-2023-38332 | Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user\'s account via sensitive information disclosure. | -- | Aug 4, 2023 |
| CVE-2021-37927 | Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO. | HIGH | Sep 22, 2021 |
| CVE-2021-37762 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file overwrite leading to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37931 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37930 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37929 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37928 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37926 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37924 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37923 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37921 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37920 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37919 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37918 | Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution. | HIGH | Oct 7, 2021 |
| CVE-2021-37925 | Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability. | HIGH | Sep 22, 2021 |
| CVE-2021-37922 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to path traversal which allows copying of files from one directory to another. | MEDIUM | Oct 7, 2021 |
| CVE-2021-37761 | Zoho ManageEngine ADManager Plus version 7110 and prior is vulnerable to unrestricted file upload, leading to remote code execution. | HIGH | Oct 1, 2021 |
| CVE-2023-31492 | Zoho ManageEngine ADManager Plus version 7182 and prior disclosed the default passwords for the account restoration of unauthorized domains to the authenticated users. | -- | Aug 17, 2023 |
| CVE-2018-20485 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. | MEDIUM | Dec 26, 2018 |
| CVE-2018-20484 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | MEDIUM | Dec 26, 2018 |
| CVE-2018-20664 | Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. | High | Jan 10, 2019 |
| CVE-2019-3905 | Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. | High | Jan 10, 2019 |
| CVE-2019-18411 | Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users\' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own. | MEDIUM | Nov 8, 2019 |
| CVE-2021-37421 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | HIGH | Sep 2, 2021 |
| CVE-2021-37423 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | HIGH | Sep 12, 2021 |
| CVE-2021-37422 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | HIGH | Sep 12, 2021 |
| CVE-2010-3273 | ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult. | Medium | Feb 17, 2011 |
| CVE-2020-11518 | Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. | HIGH | Apr 6, 2020 |
| CVE-2021-27956 | Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | MEDIUM | May 20, 2021 |
| CVE-2021-31874 | Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | MEDIUM | Jul 2, 2021 |
| CVE-2021-37420 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | MEDIUM | Sep 21, 2021 |
| CVE-2021-37419 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | HIGH | Sep 21, 2021 |
| CVE-2022-24681 | Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | MEDIUM | Apr 8, 2022 |
| CVE-2022-29457 | Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. | MEDIUM | Apr 19, 2022 |
| CVE-2022-28987 | Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | MEDIUM | May 20, 2022 |
| CVE-2022-34829 | Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | MEDIUM | Jul 5, 2022 |
| CVE-2023-28342 | Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. | -- | Apr 6, 2023 |
| CVE-2019-11511 | Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. | MEDIUM | Apr 29, 2019 |
| CVE-2022-28810 | Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | HIGH | Apr 21, 2022 |
| CVE-2021-28958 | Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | HIGH | Jun 25, 2021 |
| CVE-2021-33055 | Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | HIGH | Sep 2, 2021 |
| CVE-2023-35854 | Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor\'s perspective is that they have found no evidence or detail of a security vulnerability. | -- | Jun 20, 2023 |
| CVE-2022-36413 | Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. | -- | Mar 24, 2023 |
| CVE-2021-37417 | Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | MEDIUM | Sep 2, 2021 |
| CVE-2021-37416 | Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | MEDIUM | Sep 2, 2021 |
| CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | HIGH | Sep 7, 2021 |
| CVE-2020-29658 | Zoho ManageEngine Application Control Plus before 100523 has an insecure SSL configuration setting for Nginx, leading to Privilege Escalation. | HIGH | Mar 5, 2021 |
| CVE-2019-11469 | Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the \"Execute Program Action(s)\" feature. | HIGH | Apr 26, 2019 |
