Search criteria
131 vulnerabilities by ManageEngine
CVE-2025-8309 (GCVE-0-2025-8309)
Vulnerability from cvelistv5 – Published: 2025-08-20 16:53 – Updated: 2025-08-21 03:55
VLAI?
Summary
There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp.
This vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940.
Severity ?
8.1 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ManageEngine | Asset Explorer |
Affected:
0 , < 7710
(7710)
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T03:55:16.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Asset Explorer",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "7710",
"status": "affected",
"version": "0",
"versionType": "7710"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "15110",
"status": "affected",
"version": "0",
"versionType": "15110"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14940",
"status": "affected",
"version": "0",
"versionType": "14940"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SupportCenter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14940",
"status": "affected",
"version": "0",
"versionType": "14940"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an improper privilege management vulnerability identified in ManageEngine\u0027s Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. \u003cbr\u003e\u003cbr\u003eThis vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940."
}
],
"value": "There is an improper privilege management vulnerability identified in ManageEngine\u0027s Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. \n\nThis vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T16:53:29.010Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk/cve-2025-8309.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User privilege escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-8309",
"datePublished": "2025-08-20T16:53:29.010Z",
"dateReserved": "2025-07-29T14:32:17.844Z",
"dateUpdated": "2025-08-21T03:55:16.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27930 (GCVE-0-2025-27930)
Vulnerability from cvelistv5 – Published: 2025-07-23 10:20 – Updated: 2025-07-25 03:55
VLAI?
Summary
Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Applications Manager |
Affected:
0 , ≤ 176600
(176600)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-24T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T03:55:17.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Applications Manager",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "176600",
"status": "affected",
"version": "0",
"versionType": "176600"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Applications Manager versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e176600 and prior are vulnerable to stored cross-site scripting in the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFile/Directory monitor.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine Applications Manager versions\u00a0176600 and prior are vulnerable to stored cross-site scripting in the\u00a0File/Directory monitor."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-23T10:20:09.411Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2025-27930.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-27930",
"datePublished": "2025-07-23T10:20:09.411Z",
"dateReserved": "2025-04-21T10:22:18.152Z",
"dateUpdated": "2025-07-25T03:55:17.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5966 (GCVE-0-2025-5966)
Vulnerability from cvelistv5 – Published: 2025-06-26 12:22 – Updated: 2025-06-26 12:54
VLAI?
Summary
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Exchange Reporter Plus |
Affected:
0 , ≤ 5722
(5722)
|
Credits
Ngockhanhc311 from FPT NightWolf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T12:54:01.397958Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T12:54:07.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Exchange Reporter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "5722",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ngockhanhc311 from FPT NightWolf"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Exchange reporter Plus version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e5722 and below are vulnerable to Stored XSS\u0026nbsp;in the Attachments by filename keyword\u0026nbsp;report.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine Exchange reporter Plus version\u00a05722 and below are vulnerable to Stored XSS\u00a0in the Attachments by filename keyword\u00a0report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T12:22:10.367Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5966.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-5966",
"datePublished": "2025-06-26T12:22:10.367Z",
"dateReserved": "2025-06-10T09:25:22.467Z",
"dateUpdated": "2025-06-26T12:54:07.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-5366 (GCVE-0-2025-5366)
Vulnerability from cvelistv5 – Published: 2025-06-26 12:21 – Updated: 2025-06-26 12:54
VLAI?
Summary
Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report.
Severity ?
8.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Exchange Reporter Plus |
Affected:
0 , ≤ 5722
(5722)
|
Credits
Ngockhanhc311 from FPT NightWolf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5366",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-26T12:54:32.477331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T12:54:40.737Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Exchange Reporter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "5722",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ngockhanhc311 from FPT NightWolf"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Exchange reporter Plus version\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e5722 and below are vulnerable to Stored XSS\u0026nbsp;in the Folder-wise read mails with subject report.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine Exchange reporter Plus version\u00a05722 and below are vulnerable to Stored XSS\u00a0in the Folder-wise read mails with subject report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-26T12:21:02.974Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-5366.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-5366",
"datePublished": "2025-06-26T12:21:02.567Z",
"dateReserved": "2025-05-30T09:52:51.575Z",
"dateUpdated": "2025-06-26T12:54:40.737Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41444 (GCVE-0-2025-41444)
Vulnerability from cvelistv5 – Published: 2025-06-09 11:14 – Updated: 2025-06-09 13:05
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(5722)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T13:05:25.285513Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T13:05:30.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the alerts module."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T11:14:58.186Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-41444.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-41444",
"datePublished": "2025-06-09T11:14:58.186Z",
"dateReserved": "2025-04-21T07:24:59.758Z",
"dateUpdated": "2025-06-09T13:05:30.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36528 (GCVE-0-2025-36528)
Vulnerability from cvelistv5 – Published: 2025-06-09 11:12 – Updated: 2025-06-09 13:05
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(5722)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T13:05:44.149702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T13:05:48.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in \u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eService Account Auditing reports.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in Service Account Auditing reports."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T11:12:14.531Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-36528.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-36528",
"datePublished": "2025-06-09T11:12:14.531Z",
"dateReserved": "2025-04-21T07:24:59.749Z",
"dateUpdated": "2025-06-09T13:05:48.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-27709 (GCVE-0-2025-27709)
Vulnerability from cvelistv5 – Published: 2025-06-09 11:04 – Updated: 2025-06-09 15:39
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the Service Account Auditing reports.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(5722)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-27709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T15:28:45.447424Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T15:39:11.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eZohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eService Account Auditing reports\u003c/span\u003e.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the Service Account Auditing reports."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T11:04:38.114Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-27709.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-27709",
"datePublished": "2025-06-09T11:04:38.114Z",
"dateReserved": "2025-04-21T07:24:59.742Z",
"dateUpdated": "2025-06-09T15:39:11.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41437 (GCVE-0-2025-41437)
Vulnerability from cvelistv5 – Published: 2025-06-09 10:44 – Updated: 2025-06-09 16:22
VLAI?
Summary
Zohocorp ManageEngine OpManager, NetFlow Analyzer, Network Configuration Manager, Firewall Analyzer and OpUtils versions 128565 and below are vulnerable to Reflected XSS on the login page.
Severity ?
4.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | OpManager |
Affected:
0 , < 128566
(128566)
|
Credits
Andrey Alekseev (Positive Technologies)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41437",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T16:21:00.489016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T16:22:33.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpManager",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "128566",
"status": "affected",
"version": "0",
"versionType": "128566"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrey Alekseev (Positive Technologies)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpManager,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNetFlow Analyzer,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eNetwork Configuration Manager,\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eFirewall Analyzer and\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOpUtils versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e128565 and below are vulnerable to Reflected XSS on the login page.\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine\u00a0OpManager,\u00a0NetFlow Analyzer,\u00a0Network Configuration Manager,\u00a0Firewall Analyzer and\u00a0OpUtils versions\u00a0128565 and below are vulnerable to Reflected XSS on the login page."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T10:44:08.879Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/itom/advisory/cve-2025-41437.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-41437",
"datePublished": "2025-06-09T10:44:08.879Z",
"dateReserved": "2025-04-21T10:22:18.137Z",
"dateUpdated": "2025-06-09T16:22:33.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3835 (GCVE-0-2025-3835)
Vulnerability from cvelistv5 – Published: 2025-06-09 10:29 – Updated: 2025-06-14 03:56
VLAI?
Summary
Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior are vulnerable to Remote code execution in the Content Search module.
Severity ?
9.6 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Exchange Reporter Plus |
Affected:
0 , < 5722
(5722)
|
Credits
Ngockhanhc311 from FPT NightWolf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3835",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-14T03:56:13.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Exchange Reporter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "5722",
"status": "affected",
"version": "0",
"versionType": "5722"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ngockhanhc311 from FPT NightWolf"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;Exchange Reporter Plus versions\u0026nbsp;5721 and prior are vulnerable to Remote code execution in the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eContent Search module.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine\u00a0Exchange Reporter Plus versions\u00a05721 and prior are vulnerable to Remote code execution in the\u00a0Content Search module."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T10:29:18.379Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2025-3835.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-3835",
"datePublished": "2025-06-09T10:29:18.379Z",
"dateReserved": "2025-04-21T07:22:57.310Z",
"dateUpdated": "2025-06-14T03:56:13.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41407 (GCVE-0-2025-41407)
Vulnerability from cvelistv5 – Published: 2025-05-23 10:29 – Updated: 2025-05-23 11:57
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the OU History report.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T11:57:03.143446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T11:57:14.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cp\u003eZohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOU History report.\u003c/span\u003e\u003c/p\u003e\u003c/div\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection in the\u00a0OU History report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T10:29:58.652Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-41407.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-41407",
"datePublished": "2025-05-23T10:29:58.652Z",
"dateReserved": "2025-04-21T07:24:59.763Z",
"dateUpdated": "2025-05-23T11:57:14.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-36527 (GCVE-0-2025-36527)
Vulnerability from cvelistv5 – Published: 2025-05-23 10:28 – Updated: 2025-05-23 12:05
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions below 8511 are vulnerable to SQL injection while exporting reports.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-36527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-23T12:00:08.629589Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T12:05:28.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;ADAudit Plus versions below 8511 are vulnerable to SQL injection while\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eexporting reports.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine\u00a0ADAudit Plus versions below 8511 are vulnerable to SQL injection while\u00a0exporting reports."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T10:28:24.153Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-36527.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-36527",
"datePublished": "2025-05-23T10:28:24.153Z",
"dateReserved": "2025-04-21T07:31:12.859Z",
"dateUpdated": "2025-05-23T12:05:28.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-41403 (GCVE-0-2025-41403)
Vulnerability from cvelistv5 – Published: 2025-05-22 10:39 – Updated: 2025-05-22 18:13
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-41403",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:08:11.914322Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:13:43.312Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp\u0026nbsp;ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data.\u003cbr\u003e"
}
],
"value": "Zohocorp\u00a0ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection while fetching service account audit data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T10:39:59.813Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-41403.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-41403",
"datePublished": "2025-05-22T10:39:59.813Z",
"dateReserved": "2025-04-21T07:24:59.732Z",
"dateUpdated": "2025-05-22T18:13:43.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3836 (GCVE-0-2025-3836)
Vulnerability from cvelistv5 – Published: 2025-05-22 10:38 – Updated: 2025-05-22 18:21
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3836",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:18:09.405296Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:21:44.623Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp\u0026nbsp;ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report.\u003cbr\u003e"
}
],
"value": "Zohocorp\u00a0ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the logon events aggregate report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T10:38:26.473Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-3836.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-3836",
"datePublished": "2025-05-22T10:38:26.473Z",
"dateReserved": "2025-04-21T07:24:24.884Z",
"dateUpdated": "2025-05-22T18:21:44.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3444 (GCVE-0-2025-3444)
Vulnerability from cvelistv5 – Published: 2025-05-22 10:31 – Updated: 2025-05-22 18:28
VLAI?
Summary
Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
Severity ?
6.5 (Medium)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ManageEngine | ServiceDesk Plus MSP |
Affected:
0 , < 14920
(14910)
|
|||||||
|
|||||||||
Credits
Esther
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T18:25:58.727731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T18:28:27.922Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14920",
"status": "affected",
"version": "0",
"versionType": "14910"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SupportCenter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14920",
"status": "affected",
"version": "0",
"versionType": "14920"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Esther"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded."
}
],
"value": "Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T10:31:48.562Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk-msp/cve-2025-3444.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Local File Inclusion",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-3444",
"datePublished": "2025-05-22T10:31:48.562Z",
"dateReserved": "2025-04-08T08:14:09.202Z",
"dateUpdated": "2025-05-22T18:28:27.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3834 (GCVE-0-2025-3834)
Vulnerability from cvelistv5 – Published: 2025-05-14 11:05 – Updated: 2025-05-14 13:28
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions 8510 and prior are vulnerable to authenticated SQL injection in the OU History report.
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8511
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3834",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T13:28:36.501976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T13:28:48.403Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8511",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;ADAudit Plus versions\u0026nbsp;8510\u0026nbsp;and prior are vulnerable to authenticated SQL injection in the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eOU History report\u003c/span\u003e."
}
],
"value": "Zohocorp ManageEngine\u00a0ADAudit Plus versions\u00a08510\u00a0and prior are vulnerable to authenticated SQL injection in the\u00a0OU History report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T11:05:34.690Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2025-3834.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-3834",
"datePublished": "2025-05-14T11:05:34.690Z",
"dateReserved": "2025-04-21T07:14:18.488Z",
"dateUpdated": "2025-05-14T13:28:48.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-3833 (GCVE-0-2025-3833)
Vulnerability from cvelistv5 – Published: 2025-05-14 11:00 – Updated: 2025-05-14 13:30
VLAI?
Summary
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
Severity ?
8.1 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADSelfService Plus |
Affected:
0 , < 6514
(6514)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-3833",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-14T13:29:40.313688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T13:30:00.739Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ADSelfService Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "6514",
"status": "affected",
"version": "0",
"versionType": "6514"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;ADSelfService Plus versions\u0026nbsp;6513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
}
],
"value": "Zohocorp ManageEngine\u00a0ADSelfService Plus versions\u00a06513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-14T11:00:27.309Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-3833.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-3833",
"datePublished": "2025-05-14T11:00:27.309Z",
"dateReserved": "2025-04-21T07:02:38.560Z",
"dateUpdated": "2025-05-14T13:30:00.739Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50053 (GCVE-0-2024-50053)
Vulnerability from cvelistv5 – Published: 2025-03-21 06:01 – Updated: 2025-05-05 13:24
VLAI?
Summary
Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
Severity ?
6.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ManageEngine | ServiceDesk Plus |
Affected:
0 , ≤ 14910
(14910)
|
||||||||||||
|
||||||||||||||
Credits
vuhd and brocked200 from Viettel Cyber Security
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T13:58:06.843899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:04:53.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/service-desk/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14910",
"status": "affected",
"version": "0",
"versionType": "14910"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/service-desk-msp/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14900",
"status": "affected",
"version": "0",
"versionType": "14900"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/support-center/",
"defaultStatus": "unaffected",
"product": "SupportCentre Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14900",
"status": "affected",
"version": "0",
"versionType": "14900"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vuhd and brocked200 from Viettel Cyber Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ServiceDesk Plus versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebelow\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e14920\u003c/span\u003e\u003c/span\u003e\u0026nbsp;, ServiceDesk Plus MSP and SupportCentre Plus versions below\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e14910 are vulnerable to Stored XSS in the task feature.\u003c/span\u003e"
}
],
"value": "Zohocorp ManageEngine ServiceDesk Plus versions\u00a0below\u00a014920\u00a0, ServiceDesk Plus MSP and SupportCentre Plus versions below\u00a014910 are vulnerable to Stored XSS in the task feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T13:24:19.125Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk/CVE-2024-50053.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2024-50053",
"datePublished": "2025-03-21T06:01:39.945Z",
"dateReserved": "2024-11-07T11:25:31.918Z",
"dateUpdated": "2025-05-05T13:24:19.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-1723 (GCVE-0-2025-1723)
Vulnerability from cvelistv5 – Published: 2025-03-03 07:40 – Updated: 2025-03-03 14:24
VLAI?
Summary
Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.
Severity ?
8.1 (High)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADSelfService Plus |
Affected:
0 , < 6511
(6511)
|
Credits
Weston
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-03T14:23:30.263370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T14:24:12.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "ADSelfService Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "6511",
"status": "affected",
"version": "0",
"versionType": "6511"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Weston"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esession mishandling. Valid account holders in the setup only have the potential to exploit this bug.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u00a0session mishandling. Valid account holders in the setup only have the potential to exploit this bug."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-03T07:40:10.789Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Account takeover",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2025-1723",
"datePublished": "2025-03-03T07:40:10.789Z",
"dateReserved": "2025-02-26T17:07:32.710Z",
"dateUpdated": "2025-03-03T14:24:12.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9097 (GCVE-0-2024-9097)
Vulnerability from cvelistv5 – Published: 2025-02-05 12:40 – Updated: 2025-02-12 20:51
VLAI?
Summary
ManageEngine Endpoint Central versions before 11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.
Severity ?
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Endpoint Central |
Affected:
0 , < 11.3.2440.09
(11.3.2440.09)
|
Credits
Vishnu Das from Temenos
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T13:56:34.454181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:30.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/desktop-central/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "Endpoint Central",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "11.3.2440.09",
"status": "affected",
"version": "0",
"versionType": "11.3.2440.09"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vishnu Das from Temenos"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "ManageEngine Endpoint Central versions before\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e11.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "ManageEngine Endpoint Central versions before\u00a011.3.2440.09 are vulnerable to IDOR vulnerability which allows the attacker to change the username in the chat."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T12:40:15.257Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/desktop-central/cve-2024-9097.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "IDOR",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-9097",
"datePublished": "2025-02-05T12:40:15.257Z",
"dateReserved": "2024-09-23T04:18:05.868Z",
"dateUpdated": "2025-02-12T20:51:30.048Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-41140 (GCVE-0-2024-41140)
Vulnerability from cvelistv5 – Published: 2025-01-29 11:14 – Updated: 2025-02-12 19:51
VLAI?
Summary
Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user function.
Severity ?
8.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Applications Manager |
Affected:
0 , ≤ 174000
(174000)
|
Credits
maneesh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T14:06:02.590376Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T19:51:14.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Applications Manager",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "174000",
"status": "affected",
"version": "0",
"versionType": "174000"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "maneesh"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Applications Manager versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e174000 and prior are vulnerable to the incorrect authorization in the update user function.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine Applications Manager versions\u00a0174000 and prior are vulnerable to the incorrect authorization in the update user function."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-29T11:14:50.910Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2024-41140.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Authorization",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-41140",
"datePublished": "2025-01-29T11:14:50.910Z",
"dateReserved": "2024-07-16T07:03:21.743Z",
"dateUpdated": "2025-02-12T19:51:14.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52323 (GCVE-0-2024-52323)
Vulnerability from cvelistv5 – Published: 2024-11-27 09:54 – Updated: 2025-08-27 21:43
VLAI?
Summary
Zohocorp ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account.
Severity ?
8.1 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Analytics Plus |
Affected:
0 , < 6100
(6100)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-52323",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-27T14:17:55.542421Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T21:43:04.930Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/analytics-plus/",
"defaultStatus": "unaffected",
"product": "Analytics Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "6100",
"status": "affected",
"version": "0",
"versionType": "6100"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp\u0026nbsp;ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account."
}
],
"value": "Zohocorp\u00a0ManageEngine Analytics Plus versions below 6100 are vulnerable to authenticated sensitive data exposure which allows the users to retrieve sensitive tokens associated to the org-admin account."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-27T09:54:07.999Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/analytics-plus/CVE-2024-52323.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Sensitive Data Exposure",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-52323",
"datePublished": "2024-11-27T09:54:07.999Z",
"dateReserved": "2024-11-07T11:25:31.904Z",
"dateUpdated": "2025-08-27T21:43:04.930Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-49574 (GCVE-0-2024-49574)
Vulnerability from cvelistv5 – Published: 2024-11-18 07:55 – Updated: 2024-11-26 14:45
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in the reports module.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8123
(8121)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "manageengine_adaudit_plus",
"vendor": "zohocorp",
"versions": [
{
"lessThan": "8123",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-49574",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T13:41:12.438869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T14:45:29.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/?pos=ADAudit",
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8123",
"status": "affected",
"version": "0",
"versionType": "8121"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethe reports module.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8123 are vulnerable to SQL Injection in\u00a0the reports module."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-18T07:55:13.332Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2024-49574.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-49574",
"datePublished": "2024-11-18T07:55:13.332Z",
"dateReserved": "2024-11-07T11:25:31.882Z",
"dateUpdated": "2024-11-26T14:45:29.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10839 (GCVE-0-2024-10839)
Vulnerability from cvelistv5 – Published: 2024-11-08 10:58 – Updated: 2024-11-08 14:18
VLAI?
Summary
Zohocorp ManageEngine SharePoint Manager Plus versions 4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.
Severity ?
8.5 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | SharePoint Manager Plus |
Affected:
0 , ≤ 4503
(4503)
|
Credits
Zewei Zhang from NSFOCUS TIANJI Lab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T14:18:42.476990Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T14:18:57.843Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/?pos=SharePointMgr",
"defaultStatus": "unaffected",
"product": "SharePoint Manager Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "4503",
"status": "affected",
"version": "0",
"versionType": "4503"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Zewei Zhang from NSFOCUS TIANJI Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine SharePoint Manager Plus versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e4503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option.\u003c/span\u003e"
}
],
"value": "Zohocorp ManageEngine SharePoint Manager Plus versions\u00a04503 and prior are vulnerable to authenticated XML External Entity (XXE) in the Management option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T10:58:19.228Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/sharepoint-management-reporting/advisory/CVE-2024-10839.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XML External Entity",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-10839",
"datePublished": "2024-11-08T10:58:19.228Z",
"dateReserved": "2024-11-05T05:54:33.831Z",
"dateUpdated": "2024-11-08T14:18:57.843Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24409 (GCVE-0-2024-24409)
Vulnerability from cvelistv5 – Published: 2024-11-08 08:01 – Updated: 2024-11-08 14:20
VLAI?
Summary
Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to Privilege Escalation in the Modify Computers option.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADManager Plus |
Affected:
0 , ≤ 7203
(7203)
|
Credits
metin kandemir
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "manageengine_admanager_plus",
"vendor": "zohocorp",
"versions": [
{
"lessThanOrEqual": "7203",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-24409",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-08T14:19:23.042539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T14:20:25.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/ad-manager/",
"defaultStatus": "unaffected",
"platforms": [
"Windows"
],
"product": "ADManager Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "7203",
"status": "affected",
"version": "0",
"versionType": "7203"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "metin kandemir"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to\u0026nbsp;Privilege Escalation in the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eModify Computers option.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADManager Plus versions 7203 and prior are vulnerable to\u00a0Privilege Escalation in the\u00a0Modify Computers option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T08:01:12.844Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-24409.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Privilege Escalation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-24409",
"datePublished": "2024-11-08T08:01:12.844Z",
"dateReserved": "2024-01-25T09:12:44.368Z",
"dateUpdated": "2024-11-08T14:20:25.641Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10203 (GCVE-0-2024-10203)
Vulnerability from cvelistv5 – Published: 2024-11-07 09:20 – Updated: 2024-11-07 14:27
VLAI?
Summary
Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines.
Severity ?
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | EndPoint Central |
Affected:
0 , < 11.3.2416.22
(11.3.2416.21)
Affected: 0 , < 11.3.2428.10 (11.3.2416.22) |
Credits
Brenden Meeder
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_endpoint_central:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "manageengine_endpoint_central",
"vendor": "zohocorp",
"versions": [
{
"lessThan": "11.3.2416.22",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "11.3.2428.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-07T14:14:19.663318Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T14:27:15.677Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EndPoint Central",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "11.3.2416.22",
"status": "affected",
"version": "0",
"versionType": "11.3.2416.21"
},
{
"lessThan": "11.3.2428.10",
"status": "affected",
"version": "0",
"versionType": "11.3.2416.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Brenden Meeder"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines.\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine EndPoint Central versions 11.3.2416.21 and below, 11.3.2428.9 and below are vulnerable to Arbitrary File Deletion in the agent installed machines."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T09:20:07.450Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/desktop-central/cve-2024-10203.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Agent Arbitrary File Deletion",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-10203",
"datePublished": "2024-11-07T09:20:07.450Z",
"dateReserved": "2024-10-21T04:28:34.057Z",
"dateUpdated": "2024-11-07T14:27:15.677Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9459 (GCVE-0-2024-9459)
Vulnerability from cvelistv5 – Published: 2024-11-05 05:44 – Updated: 2024-11-05 16:24
VLAI?
Summary
Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Exchange Reporter Plus |
Affected:
0 , < 5719
(5719)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_exchange_reporter_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "manageengine_exchange_reporter_plus",
"vendor": "zohocorp",
"versions": [
{
"lessThan": "5719",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9459",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-05T16:22:14.072305Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T16:24:05.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/exchange-reports/",
"defaultStatus": "unaffected",
"product": "Exchange Reporter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "5719",
"status": "affected",
"version": "0",
"versionType": "5719"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine\u0026nbsp;Exchange Reporter Plus versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e5718 and prior are vulnerable to authenticated SQL Injection in reports module.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine\u00a0Exchange Reporter Plus versions\u00a05718 and prior are vulnerable to authenticated SQL Injection in reports module."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-05T05:44:57.368Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2024-9459.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-9459",
"datePublished": "2024-11-05T05:44:57.368Z",
"dateReserved": "2024-10-03T06:59:59.585Z",
"dateUpdated": "2024-11-05T16:24:05.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-36485 (GCVE-0-2024-36485)
Vulnerability from cvelistv5 – Published: 2024-11-04 11:13 – Updated: 2024-11-07 11:02
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in Technician reports option.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8121
(8121)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_adaudit_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "manageengine_adaudit_plus",
"vendor": "zohocorp",
"versions": [
{
"lessThan": "8121",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-36485",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T15:16:51.310358Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T15:18:52.524Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/?pos=ADAudit",
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8121",
"status": "affected",
"version": "0",
"versionType": "8121"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTechnician reports option.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in\u00a0Technician reports option."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T11:02:05.293Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2024-36485.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-36485",
"datePublished": "2024-11-04T11:13:02.838Z",
"dateReserved": "2024-07-16T07:03:21.727Z",
"dateUpdated": "2024-11-07T11:02:05.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-48878 (GCVE-0-2024-48878)
Vulnerability from cvelistv5 – Published: 2024-11-04 10:56 – Updated: 2024-11-04 15:22
VLAI?
Summary
Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADManager Plus |
Affected:
0 , ≤ 7241
(7241)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "manageengine_admanager_plus",
"vendor": "zohocorp",
"versions": [
{
"lessThanOrEqual": "7241",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-48878",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T15:20:43.036499Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T15:22:39.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/ad-manager/",
"defaultStatus": "unaffected",
"product": "ADManager Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "7241",
"status": "affected",
"version": "0",
"versionType": "7241"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eArchived Audit Report.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in\u00a0Archived Audit Report."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T10:56:26.641Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2024-48878.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-48878",
"datePublished": "2024-11-04T10:56:26.641Z",
"dateReserved": "2024-10-09T10:57:57.152Z",
"dateUpdated": "2024-11-04T15:22:39.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5608 (GCVE-0-2024-5608)
Vulnerability from cvelistv5 – Published: 2024-10-24 11:42 – Updated: 2024-10-24 13:55
VLAI?
Summary
Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature.
Severity ?
8.3 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | ADAudit Plus |
Affected:
0 , < 8121
(8121)
|
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:manageengine:adaudit_plus:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "adaudit_plus",
"vendor": "manageengine",
"versions": [
{
"lessThan": "5121",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-24T13:49:43.999082Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T13:55:28.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/active-directory-audit/",
"defaultStatus": "unaffected",
"product": "ADAudit Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "8121",
"status": "affected",
"version": "0",
"versionType": "8121"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature."
}
],
"value": "Zohocorp ManageEngine ADAudit Plus versions below 8121 are vulnerable to SQL Injection in the technician reports feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-24T11:42:44.789Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/active-directory-audit/cve-2024-5608.html"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-5608",
"datePublished": "2024-10-24T11:42:44.789Z",
"dateReserved": "2024-06-03T19:38:45.832Z",
"dateUpdated": "2024-10-24T13:55:28.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9100 (GCVE-0-2024-9100)
Vulnerability from cvelistv5 – Published: 2024-10-03 14:17 – Updated: 2024-10-03 15:33
VLAI?
Summary
Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ManageEngine | Analytics Plus |
Affected:
0 , < 5410
(5410)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9100",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T15:33:46.340790Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T15:33:56.745Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/analytics-plus/",
"defaultStatus": "unaffected",
"product": "Analytics Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "5410",
"status": "affected",
"version": "0",
"versionType": "5410"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine Analytics Plus versions before 5410 and\u0026nbsp;Zoho Analytics On-Premise\u0026nbsp;versions before 5410 are vulnerable to Path traversal."
}
],
"value": "Zohocorp ManageEngine Analytics Plus versions before 5410 and\u00a0Zoho Analytics On-Premise\u00a0versions before 5410 are vulnerable to Path traversal."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T14:17:02.797Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/analytics-plus/CVE-2024-9100.html"
},
{
"url": "https://www.zoho.com/analytics/onpremise/CVE-2024-9100.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local File Inclusion",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-9100",
"datePublished": "2024-10-03T14:17:02.797Z",
"dateReserved": "2024-09-23T11:38:13.736Z",
"dateUpdated": "2024-10-03T15:33:56.745Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}