RSS   Vulnerabilities for
'Manageengine password manager pro'
   RSS

2021-06-16
 
CVE-2021-31857

CWE-522
 

 
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types.

 
2020-03-16
 
CVE-2020-9347

CWE-74
 

 
** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products.

 
 
CVE-2020-9346

CWE-352
 

 
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role.

 
2020-03-09
 
CVE-2016-1159

CWE-200
 

 
In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service.

 
2019-06-18
 
CVE-2019-12133

CWE-275
 

 
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

 
2015-07-08
 
CVE-2015-5459

 

 
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.

 
2014-12-05
 
CVE-2014-3997

CWE-89
 

 
SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

 
2014-11-17
 
CVE-2014-8498

CWE-89
 

 
SQL injection vulnerability in BulkEditSearchResult.cc in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allows remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter.

 

 >>> Vendor: Zohocorp 45 Products
Webnms
Manageengine adselfservice plus
Manageengine admanager plus
Manageengine assetexplorer
Manageengine opstor
Manageengine eventlog analyzer
Manageengine desktop central
Manageengine it360
Manageengine netflow analyzer
Manageengine it plus
Manageengine opmanager
Manageengine social it plus
Manageengine supportcenter plus
Servicedesk plus
Manageengine password manager pro
Webnms framework
Password manager pro
Manageengine firewall analyzer
Site24x7 mobile network poller
Manageengine applications manager
Manageengine recovery manager plus
Manageengine servicedesk plus
Firewall analyzer
Network configuration manager
Opmanager
Oputils
Manageengine analytics plus
Manageengine browser security plus
Manageengine firewall
Manageengine key manager plus
Manageengine mobile device manager plus
Manageengine network configuration manager
Manageengine o365 manager plus
Manageengine oputils
Manageengine patch connect plus
Manageengine patch manager plus
Manageengine vulnerability manager plus
Manageengine desktop central managed service providers
Manageengine remote access plus
Manageengine adaudit plus
Manageengine datasecurity plus
Manageengine applications control plus
Manageengine servicedesk plus msp
Manageengine log360
Manageengine cloud security plus


Copyright 2021, cxsecurity.com

 

Back to Top