List of security vulnerabilities fixed in OpManager

This page contains a list of all security vulnerabilities fixed in OpManager along with its CVE ID and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.

 
CVE / ZVE ID Synopsis Severity Fixed in version Link to latest build
CVE-2024-5466 OpManager: A Remote Code Execution (RCE) vulnerability could be exploited by users with 'Write' access to the 'Deploy Agent' action in the UI. This has been fixed now. [Reported by Daniel Santos] High 128330 / 128320 / 128188 / 128268 Download
CVE-2024-6748 OpManager: The SQL injection vulnerability identified in the URL Monitoring has now been fixed. [Reported by: CrisprXiang, Cokebeer, and LFY] High 128318/128186/128267
CVE-2024-38870 OpManager: A stored XSS vulnerability was discovered in Schedule reports. This has now been fixed. (Reported by Muhammed Mekkawy. Refer:CVE-2024-38870) Medium 128104/128238/128250
CVE-2024-36038 The stored XSS vulnerabilities was identified with the configured proxy server from 128234 version, have now been fixed. (Reported by Muhammed Mekkawy.) High 128249
ZVE-2024-1132 Previously, CSRF vulnerability (ZVE-2024-1132) was detected where the external users were able to utilize the network tools without authentication to perform ping or SNMP ping on network devices. This has now been fixed. (Reported by Jayateertha Guruprasad). Medium 128103/128247
CVE-2023-47211 Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. High 127260/ 127248/ 127194/ 127193
CVE-2023-29505 Previously, a WebSocket connection was affected by a Cross-site WebSocket hijacking vulnerability. This issue has been fixed by validating the origin of the websocket request. Low 127131 / 127120 / 127109
CVE-2023-31099 Enterprise Edition: Remote code execution vulnerability was identified during the data transfer in the Enterprise Edition. This has been fixed now. High  126324
ZVE-2023-0284 OpManager : The Stored XSS vulnerability issues, that lead to JS injection, and were identified in the URL Monitors, have been fixed now. (Reported by Ranjit Pahan). Medium 126279 / 126155 / 126263
CVE-2022-43473 OpManager : Previously, there was an XML External Entity (XXE) vulnerability in UCS module. It has been fixed now. (Reported by Cisco Talos-Marcin Noga) Medium 126141 / 126154/ 126169
CVE-2022-37024 Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. High  126120 / 126105 / 126003 / 125658
CVE-2022-38772 Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. High  126120 / 126105 / 126003 / 125658
CVE-2022-36923 A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) Critical  126118 / 126104 / 126002 / 125657
CVE-2022-35404 Unauthorized creation of files lead to high resource consumption. This has been fixed now.(Reported by Tenable) Medium  125639/125655/126101
CVE-2022-29535  The SQL injection vulnerability issues identified in few default reports have been fixed now. (Reported by Anh Vu) High  125589/125604/125629
CVE-2022-27908 Earlier, an SQL injection vulnerability was noticed in the Inventory Reports module. It has been fixed now. High 125588/125603
CVE-2022-24703 Earlier, there was a stored XSS vulnerability in the Schedule name field of Schedule page. This issue is fixed now. Medium 125584
CVE-2021-43319 Remote Code Execution (RCE) vulnerability in the Ping functionality. High 125457, 125473
CVE-2021-41288 SQL injection vulnerability noticed in the Reports module. High 125437, 125455 and 125467
CVE-2021-40493 SQL injection vulnerability noticed in support diagnostics module. High 125437/125453
CVE-2021-20078 Folder deletion due to path traversal vulnerability in Remote Desktop feature Critical 125332/125347
CVE-2021-3287 Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. Critical 125220/125314
CVE-2020-28653 Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. High 125203/125218
CVE-2020-19554 A reflected XSS vulnerability when the API key contained an XML-based XSS payload Medium 125177
CVE-2020-13818 Directory Traversal validation was being bypassed when using <cachestart>. High 125144
CVE-2020-12116 Path Traversal vulnerability High 124196/125125
CVE-2020-11946 Unauthenticated access to API key disclosure from a servlet call High 124188/125120
CVE-2020-11527 File read vulnerability in Arbitrary file High 124181
CVE-2020-10541 Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs High 124172
CVE-2019-17421 Incorrect file permissions on the packaged Nipper executable file Medium 124079 and 124099
CVE-2019-17602 SQL injection vulnerability High 124078/124089
CVE-2019-15106 User login bypass vulnerability in APM plugin High 124062/124070
CVE-2017-11560 HTML Injection vulnerability Medium 124033
Internal An operator user could access some restricted folders by bypassing the session. High 123241
CVE-2018-20339 XSS vulnerability in 'Alarms' and 'Notes'. High 123239
CVE-2018-20338 SQL Injection vulnerability in 'Alarms'. High 123239
CVE-2018-20173 SQL Injection vulnerability in performance monitors' graph. High 123238
CVE-2018-19921 XSS vulnerability in adding/updating domain controller. High 123237
CVE-2018-19403 Unauthenticated Remote Code Execution (RCE) vulnerability. High 123231
CVE-2018-19288 XSS vulnerability in updating 'Widgets API'. High 123223
CVE-2018-18949 SQL Injection vulnerability in 'Mail Server' settings. High 123222
CVE-2018-18980 XML external entity vulnerability in 'Business view' page. High 123214
CVE-2018-18475 Unrestricted file upload vulnerability in uploading a background image in 'Business view'. High 123214
CVE-2018-18262 XSS vulnerability in 'Add Custom Category'. High 123214
CVE-2018-12997, CVE-2018-12998 Injecting arbitrary web script or HTML via the parameter 'operation'. High 123169
CVE-2018-9088, CVE-2018-9087, CVE-2018-9089 SQL Injection vulnerability in 'FailOverHelperServlet'. High 123157
CVE-2018-10803 XSS vulnerability (Cross-site-scripting) in 'Add credentials' page. High 123122
CVE-2017-12617 Uploading JSP file to server via 'HTTP PUT' method High 123046
 
 Pricing  Get Quote