Multiple vulnerabilities in Zoho ManageEngine OpManager
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | N/A |
| CWE-ID | CWE-640 CWE-284 CWE-89 CWE-98 CWE-22 CWE-287 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Zoho ManageEngine OpManager Client/Desktop applications / Other client software |
| Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Weak Password Recovery Mechanism for Forgotten Password
EUVDB-ID: #VU60173
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-640 - Weak password recovery mechanism
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to the application.
The vulnerability exists due to predictable password reset logic. A remote attacker can reset password of another user and gain unauthorized access to the system.
Install updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper access control
EUVDB-ID: #VU60174
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and access endpoints of multiple modules.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU60175
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the infrastructure detail search module. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) SQL injection
EUVDB-ID: #VU60176
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the availability module. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) PHP file inclusion
EUVDB-ID: #VU60177
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in Schedule Discovery module. A remote authenticated user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) PHP file inclusion
EUVDB-ID: #VU60178
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
Exploit availability: No
DescriptionThe vulnerability allows a remote user to include and execute arbitrary PHP files on the server.
The vulnerability exists due to incorrect input validation when including PHP files in Device Template module. A remote authenticated user can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Path traversal
EUVDB-ID: #VU60179
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences in filenames on Agent based monitoring devices. A remote attacker can create a specially crafted archive (aka zipslip attack vector) and overwrite arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU60180
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in NCM. A remote user can bypass implemented security restrictions and view alarms of other devices in alarm popups and dashboard widget.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper Authentication
EUVDB-ID: #VU60172
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests in a few file import APIs in the NetFlow EE Central Server. A remote attacker can bypass authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine OpManager: 12.5 125559 - 12.5 125564
CPE2.3 External linkshttp://www.manageengine.com/network-monitoring/help/read-me-complete.html#125565
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
