The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2019-8429 | ZoneMinder before 1.32.3 has SQL Injection via the ajax/status.php filter[Query][terms][0][cnj] parameter. | HIGH | Mar 20, 2019 |
| CVE-2008-1381 | ZoneMinder before 1.23.3 allows remote authenticated users, and possibly unauthenticated attackers in some installations, to execute arbitrary commands via shell metacharacters in a crafted URL. | High | May 2, 2008 |
| CVE-2008-6756 | ZoneMinder 1.23.3 on Gentoo Linux uses 0644 permissions for /etc/zm.conf, which allows local users to obtain the database username and password by reading this file. | Low | Apr 28, 2009 |
| CVE-2008-6755 | ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script. | Medium | Apr 28, 2009 |
| CVE-2020-6013 | ZoneAlarm Firewall and Antivirus products before version 15.8.109.18436 allow an attacker who already has access to the system to execute code at elevated privileges through a combination of file permission manipulation and exploitation of Windows CVE-2020-00896 on unpatched systems. | MEDIUM | Jul 6, 2020 |
| CVE-2020-6012 | ZoneAlarm Anti-Ransomware before version 1.0.713 copies files for the report from a directory with low privileges. A sophisticated timed attacker can replace those files with malicious or linked content, such as exploiting CVE-2020-0896 on unpatched systems or using symbolic links. This allows an unprivileged user to enable escalation of privilege via local access. | LOW | Aug 6, 2020 |
| CVE-2008-2349 | Zomplog 3.8.2 and earlier allows remote attackers to gain administrative access by creating an admin account via a direct request to install/Unchangeduser.php with the admin parameter set to 1. | High | May 20, 2008 |
| CVE-2007-5278 | Zomplog 3.8.1 and earlier stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to download files that were uploaded by users, as demonstrated by obtaining a directory listing via a direct request to /upload and then retrieving individual files. NOTE: in a non-default configuration, the directory listing is denied, but filenames may be predicable. | Medium | Oct 9, 2007 |
| CVE-2017-15993 | Zomato Clone Script allows SQL Injection via the restaurant-menu.php resid parameter. | HIGH | Oct 31, 2017 |
| CVE-2021-27485 | ZOLL Defibrillator Dashboard, v prior to 2.2,The application allows users to store their passwords in a recoverable format, which could allow an attacker to retrieve the credentials from the web browser. | MEDIUM | Jun 16, 2021 |
| CVE-2021-27479 | ZOLL Defibrillator Dashboard, v prior to 2.2,The affected product’s web application could allow a low privilege user to inject parameters to contain malicious scripts to be executed by higher privilege users. | LOW | Jun 16, 2021 |
| CVE-2021-27483 | ZOLL Defibrillator Dashboard, v prior to 2.2,The affected products contain insecure filesystem permissions that could allow a lower privilege user to escalate privileges to an administrative level user. | MEDIUM | Jun 16, 2021 |
| CVE-2021-27489 | ZOLL Defibrillator Dashboard, v prior to 2.2, The web application allows a non-administrative user to upload a malicious file. This file could allow an attacker to remotely execute arbitrary commands. | MEDIUM | Jun 16, 2021 |
| CVE-2021-27481 | ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products utilize an encryption key in the data exchange process, which is hardcoded. This could allow an attacker to gain access to sensitive information. | LOW | Jun 16, 2021 |
| CVE-2021-27487 | ZOLL Defibrillator Dashboard, v prior to 2.2, The affected products contain credentials stored in plaintext. This could allow an attacker to gain access to sensitive information. | LOW | Jun 16, 2021 |
| CVE-2013-7395 | ZOLL Defibrillator / Monitor X Series has a default (1) supervisor password and (2) service password, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects). | Medium | Aug 13, 2014 |
| CVE-2007-6756 | ZOLL Defibrillator / Monitor M Series, E Series, and R Series have a default password for System Configuration mode, which allows physically proximate attackers to modify device configuration and cause a denial of service (adverse human health effects). | Medium | Aug 13, 2014 |
| CVE-2009-3704 | ZoIPer 2.22, and possibly other versions before 2.24 Library 5324, allows remote attackers to cause a denial of service (crash) via a SIP INVITE request with an empty Call-Info header. | Medium | Oct 19, 2009 |
| CVE-2016-6602 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. | MEDIUM | Feb 7, 2017 |
| CVE-2016-6603 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | MEDIUM | Feb 7, 2017 |
| CVE-2021-42955 | Zoho Remote Access Plus Server Windows Desktop binary fixed in version 10.1.2132 is affected by an unauthorized password reset vulnerability. Because of the designed password reset mechanism, any non-admin Windows user can reset the password of the Remote Access Plus Server Admin account. | HIGH | Nov 19, 2021 |
| CVE-2021-42956 | Zoho Remote Access Plus Server Windows Desktop Binary fixed in 10.1.2132.6 is affected by a sensitive information disclosure vulnerability. Due to improper privilege management, the process launches as the logged in user, so memory dump can be done by non-admin also. Remotely, an attacker can dump all sensitive information including DB Connection string, entire IT infrastructure details, commands executed by IT admin including credentials, secrets, private keys and more. | MEDIUM | Nov 18, 2021 |
| CVE-2021-42954 | Zoho Remote Access Plus Server Windows Desktop Binary fixed from 10.1.2121.1 is affected by incorrect access control. The installation directory is vulnerable to weak file permissions by allowing full control for Windows Everyone user group (non-admin or any guest users), thereby allowing privilege escalation, unauthorized password reset, stealing of sensitive data, access to credentials in plaintext, access to registry values, tampering with configuration files, etc. | MEDIUM | Nov 18, 2021 |
| CVE-2015-4418 | Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | Medium | Jun 9, 2015 |
| CVE-2015-2959 | Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | High | Jun 9, 2015 |
| CVE-2022-25373 | Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. | LOW | Apr 5, 2022 |
| CVE-2021-43294 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Products module. | MEDIUM | Dec 2, 2021 |
| CVE-2021-43295 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to Reflected XSS in the Accounts module. | MEDIUM | Dec 2, 2021 |
| CVE-2021-43296 | Zoho ManageEngine SupportCenter Plus before 11016 is vulnerable to an SSRF attack in ActionExecutor. | MEDIUM | Dec 2, 2021 |
| CVE-2022-24305 | Zoho ManageEngine SharePoint Manager Plus before 4329 is vulnerable to a sensitive data leak that leads to privilege escalation. | HIGH | Mar 2, 2022 |
| CVE-2022-24306 | Zoho ManageEngine SharePoint Manager Plus before 4329 allows account takeover because authorization is mishandled. | HIGH | Mar 2, 2022 |
| CVE-2022-32551 | Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). | MEDIUM | Jul 2, 2022 |
| CVE-2021-31530 | Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. | MEDIUM | Jul 2, 2021 |
| CVE-2021-31531 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | HIGH | Jul 2, 2021 |
| CVE-2021-31160 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. | MEDIUM | Jul 2, 2021 |
| CVE-2021-31159 | Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. | MEDIUM | Jun 17, 2021 |
| CVE-2021-44675 | Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. | HIGH | Dec 20, 2021 |
| CVE-2016-4890 | ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4889 | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | MEDIUM | Apr 21, 2017 |
| CVE-2022-35403 | Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.) | MEDIUM | Jul 13, 2022 |
| CVE-2022-25245 | Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation\'s default currency name. | MEDIUM | Apr 5, 2022 |
| CVE-2021-44526 | Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations. | MEDIUM | Dec 23, 2021 |
| CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | HIGH | Dec 1, 2021 |
| CVE-2021-37415 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | HIGH | Sep 1, 2021 |
| CVE-2020-35682 | Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | MEDIUM | Mar 13, 2021 |
| CVE-2020-14048 | Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | MEDIUM | Jun 12, 2020 |
| CVE-2020-6843 | Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. | LOW | Jan 27, 2020 |
| CVE-2019-15046 | Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | MEDIUM | Aug 21, 2019 |
| CVE-2015-1480 | ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. | Medium | Feb 4, 2015 |
| CVE-2019-8394 | Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | MEDIUM | Mar 20, 2019 |
