Zohocorp Manageengine Applications Manager — known CVE vulnerabilities
Every CVE whose affected-product data names Zohocorp Manageengine Applications Manager, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (56)
CVE-2020-15533 — CVSS 9.8 (critical): In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is…
CVE-2020-15394 — CVSS 9.8 (critical): The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request…
CVE-2017-16846 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /manageApplications.do?method=AddSubGroup haid…
CVE-2017-16847 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a…
CVE-2017-16848 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 allows SQL injection via the /manageConfMons.do groupname parameter.
CVE-2017-16849 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do?method=viewDashBoard forpage parameter.
CVE-2017-16850 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a…
CVE-2017-16851 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /MyPage.do widgetid parameter.
CVE-2018-13050 — CVSS 9.8 (critical): A SQL Injection vulnerability exists in Zoho ManageEngine Applications Manager 13.x before build 13800 via the j_username parameter in a…
CVE-2018-15168 — CVSS 9.8 (critical): A SQL Injection vulnerability exists in the Zoho ManageEngine Applications Manager 13 before build 13820 via the resids parameter in a…
CVE-2020-24743 — CVSS 9.8 (critical): An issue was found in /showReports.do Zoho ManageEngine Applications Manager up to 14550, allows attackers to gain escalated privileges via…
CVE-2018-7890 — CVSS 9.8 (critical): A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible…
CVE-2019-11448 — CVSS 9.8 (critical): An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of…
CVE-2019-19649 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager before 13620 allows a remote unauthenticated SQL injection via the SyncEventServlet eventid…
CVE-2016-9498 — CVSS 9.8 (critical): ManageEngine Applications Manager 12 and 13 before build 13200, allows unserialization of unsafe Java objects. The vulnerability can be…
CVE-2020-27995 — CVSS 9.8 (critical): SQL Injection in Zoho ManageEngine Applications Manager 14 before 14560 allows an attacker to execute commands on the server via the…
CVE-2017-16543 — CVSS 9.8 (critical): Zoho ManageEngine Applications Manager 13 before build 13500 allows SQL injection via GraphicalView.do, as demonstrated by a crafted…
CVE-2018-11808 — CVSS 9.1 (critical): Incorrect Access Control in CustomFieldsFeedServlet in Zoho ManageEngine Applications Manager Version 13 before build 13740 allows an…
CVE-2020-15927 — CVSS 8.8 (high): Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP…
CVE-2020-28679 — CVSS 8.8 (high): A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to…
CVE-2016-9489 — CVSS 8.8 (high): In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties…
CVE-2017-11740 — CVSS 8.8 (high): In Zoho ManageEngine Application Manager 13.1 Build 13100, the administrative user has the ability to upload files/binaries that can be…
CVE-2017-16542 — CVSS 8.8 (high): Zoho ManageEngine Applications Manager 13 before build 13500 allows Post-authentication SQL injection via the name parameter in a…
CVE-2020-27733 — CVSS 8.8 (high): Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.
CVE-2019-19650 — CVSS 8.8 (high): Zoho ManageEngine Applications Manager before 13640 allows a remote authenticated SQL injection via the Agent servlet agentid parameter to…
CVE-2019-15104 — CVSS 8.8 (high): An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguratio…
CVE-2019-15105 — CVSS 8.8 (high): An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in…
CVE-2020-16267 — CVSS 8.8 (high): Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the RCA…
CVE-2020-35765 — CVSS 8.8 (high): doFilter in com.adventnet.appmanager.filter.UriCollector in Zoho ManageEngine Applications Manager through 14930 allows an authenticated…
CVE-2019-19475 — CVSS 8.8 (high): An issue was discovered in ManageEngine Applications Manager 14 with Build 14360. Integrated PostgreSQL which is built-in in Applications…
CVE-2018-16364 — CVSS 8.1 (high): A serialization vulnerability in Zoho ManageEngine Applications Manager before build 13740 allows for remote code execution on Windows via…
CVE-2017-11738 — CVSS 8.1 (high): In Zoho ManageEngine Application Manager prior to 14.6 Build 14660, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable…
CVE-2024-41140 — CVSS 8.1 (high): Zohocorp ManageEngine Applications Manager versions 174000 and prior are vulnerable to the incorrect authorization in the update user…
CVE-2014-7863 — CVSS 7.5 (high): The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through…
CVE-2020-10816 — CVSS 7.5 (high): Zoho ManageEngine Applications Manager 14780 and before allows a remote unauthenticated attacker to register managed servers via…
CVE-2020-14008 — CVSS 7.2 (high): Zoho ManageEngine Applications Manager 14710 and before allows an authenticated admin user to upload a vulnerable jar in a specific…
CVE-2022-23050 — CVSS 7.2 (high): ManageEngine AppManager15 (Build No:15510) allows an authenticated admin user to upload a DLL file to perform a DLL hijack attack inside…
CVE-2025-6239 — CVSS 6.5 (medium): Zohocorp ManageEngine Applications Manager versions 176800 and below are vulnerable to information disclosure in File/Directory monitor.
CVE-2023-28340 — CVSS 6.5 (medium): Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack.
CVE-2025-27930 — CVSS 6.4 (medium): Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory…
CVE-2020-15521 — CVSS 6.1 (medium): Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .
CVE-2025-9787 — CVSS 6.1 (medium): Zohocorp ManageEngine Applications Manager versions 177400 and below are vulnerable to Stored Cross-Site Scripting vulnerability in the NOC…
CVE-2018-12996 — CVSS 6.1 (medium): A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before 13 (Build 13800) allows remote…
CVE-2017-11739 — CVSS 6.1 (medium): In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a…
CVE-2018-15169 — CVSS 6.1 (medium): A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager 13 before build 13820 allows remote…
CVE-2023-28341 — CVSS 6.1 (medium): Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to…
CVE-2021-31813 — CVSS 5.4 (medium): Zoho ManageEngine Applications Manager before 15130 is vulnerable to Stored XSS while importing malicious user details (e.g., a crafted…
CVE-2019-19799 — CVSS 5.3 (medium): Zoho ManageEngine Applications Manager before 14600 allows a remote unauthenticated attacker to disclose license related information via…
CVE-2017-11557 — CVSS 5.3 (medium): An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of…
CVE-2019-19800 — CVSS 5.3 (medium): Zoho ManageEngine Applications Manager 14 before 14520 allows a remote unauthenticated attacker to disclose OS file names via…
CVE-2016-9491 — CVSS 4.9 (medium): ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most…
CVE-2024-5678 — CVSS 4.7 (medium): Zohocorp ManageEngine Applications Manager versions 170900 and below are vulnerable to the authenticated admin-only SQL Injection in the…