Vulnerabilities (CVE)

Filtered by vendor Zohocorp Subscribe
Filtered by product Application Control Plus
Total 3 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-47966 1 Zohocorp 23 Application Control Plus, Manageengine Access Manager Plus, Manageengine Ad360 and 20 more 2023-01-25 N/A 9.8 CRITICAL
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
CVE-2020-15594 1 Zohocorp 1 Application Control Plus 2021-07-21 4.0 MEDIUM 4.3 MEDIUM
An SSRF issue was discovered in Zoho Application Control Plus before version 10.0.511. The mail gateway configuration feature allows an attacker to perform a scan in order to discover open ports on a machine as well as available machines on the network segment on which the instance of the product is deployed.
CVE-2020-15595 1 Zohocorp 1 Application Control Plus 2021-07-21 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in Zoho Application Control Plus before version 10.0.511. The Element Configuration feature (to configure elements included in the scope of elements managed by the product) allows an attacker to retrieve the entire list of the IP ranges and subnets configured in the product and consequently obtain information about the cartography of the internal networks to which the product has access.