The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2019-8424 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php sort parameter. | HIGH | Mar 20, 2019 | n/a |
| CVE-2019-8429 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | HIGH | Mar 20, 2019 | n/a |
| CVE-2020-6013 | ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems. | MEDIUM | Jul 6, 2020 | n/a |
| CVE-2020-6012 | ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. This allows an unprivileged user to enable escalation of privilege via local access. | LOW | Aug 6, 2020 | n/a |
| CVE-2017-15993 | Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. | HIGH | Oct 31, 2017 | n/a |
| CVE-2021-27485 | ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser. | MEDIUM | Jun 16, 2021 | n/a |
| CVE-2021-27479 | ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users. | LOW | Jun 16, 2021 | n/a |
| CVE-2021-27483 | ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user. | MEDIUM | Jun 16, 2021 | n/a |
| CVE-2021-27489 | ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. | MEDIUM | Jun 16, 2021 | n/a |
| CVE-2021-27481 | ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products utilize an encryption key in the data exchange process, which is hardcoded. This could allow an attacker to gain access to sensitive information. | LOW | Jun 16, 2021 | n/a |
| CVE-2021-27487 | ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products contain credentials stored in plaintext. This could allow an attacker to gain access to sensitive information. | LOW | Jun 16, 2021 | n/a |
| CVE-2016-6602 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6603 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2021-42955 | Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account. | HIGH | Nov 19, 2021 | n/a |
| CVE-2021-42956 | Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely, an attacker can dump all sensitive information including DB Connection string, entire IT infrastructure details, commands executed by IT admin including credentials, secrets, private keys and more. | MEDIUM | Nov 18, 2021 | n/a |
| CVE-2021-42954 | Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc. | MEDIUM | Nov 18, 2021 | n/a |
| CVE-2022-42903 | Zoho ManageEngine SupportCenter Plus through 11024 allows low-privileged users to view the organization users list. | -- | Nov 18, 2022 | n/a |
| CVE-2022-25373 | Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. | LOW | Apr 5, 2022 | n/a |
| CVE-2021-43294 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. | MEDIUM | Dec 2, 2021 | n/a |
| CVE-2021-43295 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. | MEDIUM | Dec 2, 2021 | n/a |
| CVE-2021-43296 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. | MEDIUM | Dec 2, 2021 | n/a |
| CVE-2023-38331 | Zoho ManageEngine Support Center Plus 14001 and below is vulnerable to stored XSS in the products module. | -- | Jul 28, 2023 | n/a |
| CVE-2022-24305 | Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. | HIGH | Mar 2, 2022 | n/a |
| CVE-2022-24306 | Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | HIGH | Mar 2, 2022 | n/a |
| CVE-2022-40770 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users. | -- | Nov 23, 2022 | n/a |
| CVE-2022-40771 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. | -- | Nov 23, 2022 | n/a |
| CVE-2022-40772 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module. | -- | Nov 23, 2022 | n/a |
| CVE-2023-26601 | Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). | -- | Mar 7, 2023 | n/a |
| CVE-2023-49943 | Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task\'s name in a time sheet. | -- | Jan 18, 2024 | n/a |
| CVE-2023-22964 | Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. | -- | Jan 27, 2023 | n/a |
| CVE-2022-40773 | Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view. | -- | Nov 12, 2022 | n/a |
| CVE-2022-32551 | Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). | MEDIUM | Jul 2, 2022 | n/a |
| CVE-2021-31530 | Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. | MEDIUM | Jul 2, 2021 | n/a |
| CVE-2021-31531 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | HIGH | Jul 2, 2021 | n/a |
| CVE-2021-31160 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. | MEDIUM | Jul 2, 2021 | n/a |
| CVE-2021-31159 | Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. | MEDIUM | Jun 17, 2021 | n/a |
| CVE-2021-44675 | Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. | HIGH | Dec 20, 2021 | n/a |
| CVE-2016-4890 | ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-4889 | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2023-34197 | Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make modifications. | -- | Jul 7, 2023 | n/a |
| CVE-2023-29443 | Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. | -- | Apr 27, 2023 | n/a |
| CVE-2022-35403 | Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.) | MEDIUM | Jul 13, 2022 | n/a |
| CVE-2022-25245 | Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation\'s default currency name. | MEDIUM | Apr 5, 2022 | n/a |
| CVE-2021-44526 | Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations. | MEDIUM | Dec 23, 2021 | n/a |
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | HIGH | Dec 1, 2021 | n/a |
| CVE-2021-37415 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | HIGH | Sep 1, 2021 | n/a |
| CVE-2020-35682 | Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | MEDIUM | Mar 13, 2021 | n/a |
| CVE-2020-14048 | Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | MEDIUM | Jun 12, 2020 | n/a |
| CVE-2020-6843 | Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. | LOW | Jan 27, 2020 | n/a |
| CVE-2019-15046 | Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | MEDIUM | Aug 21, 2019 | n/a |
