This page contains a list of all security vulnerabilities fixed in OpManager along with its CVE ID and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.
| CVE / ZVE ID | Synopsis | Severity | Fixed in version | Link to latest build |
|---|---|---|---|---|
| CVE-2023-47211 | Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. | High | 127260/ 127248/ 127194/ 127193 | Download |
| CVE-2023-29505 | Previously, a WebSocket connection was affected by a Cross-site WebSocket hijacking vulnerability. This issue has been fixed by validating the origin of the websocket request. | Low | 127131 / 127120 / 127109 | |
| CVE-2023-31099 | Enterprise Edition: Remote code execution vulnerability was identified during the data transfer in the Enterprise Edition. This has been fixed now. | High | 126324 | |
| ZVE-2023-0284 | OpManager : The Stored XSS vulnerability issues, that lead to JS injection, and were identified in the URL Monitors, have been fixed now. (Reported by Ranjit Pahan). | Medium | 126279 / 126155 / 126263 | |
| CVE-2022-43473 | OpManager : Previously, there was an XML External Entity (XXE) vulnerability in UCS module. It has been fixed now. (Reported by Cisco Talos-Marcin Noga) | Medium | 126141 / 126154/ 126169 | |
| CVE-2022-37024 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | High | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-38772 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | High | 126120 / 126105 / 126003 / 125658 | |
| CVE-2022-36923 | A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) | Critical | 126118 / 126104 / 126002 / 125657 | |
| CVE-2022-35404 | Unauthorized creation of files lead to high resource consumption. This has been fixed now.(Reported by Tenable) | Medium | 125639/125655/126101 | |
| CVE-2022-29535 | The SQL injection vulnerability issues identified in few default reports have been fixed now. (Reported by Anh Vu) | High | 125589/125604/125629 | |
| CVE-2022-27908 | Earlier, an SQL injection vulnerability was noticed in the Inventory Reports module. It has been fixed now. | High | 125588/125603 | |
| CVE-2022-24703 | Earlier, there was a stored XSS vulnerability in the Schedule name field of Schedule page. This issue is fixed now. | Medium | 125584 | |
| CVE-2021-43319 | Remote Code Execution (RCE) vulnerability in the Ping functionality. | High | 125457, 125473 | |
| CVE-2021-41288 | SQL injection vulnerability noticed in the Reports module. | High | 125437, 125455 and 125467 | |
| CVE-2021-40493 | SQL injection vulnerability noticed in support diagnostics module. | High | 125437/125453 | |
| CVE-2021-20078 | Folder deletion due to path traversal vulnerability in Remote Desktop feature | Critical | 125332/125347 | |
| CVE-2021-3287 | Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. | Critical | 125220/125314 | |
| CVE-2020-28653 | Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. | High | 125203/125218 | |
| CVE-2020-19554 | A reflected XSS vulnerability when the API key contained an XML-based XSS payload | Medium | 125177 | |
| CVE-2020-13818 | Directory Traversal validation was being bypassed when using <cachestart>. | High | 125144 | |
| CVE-2020-12116 | Path Traversal vulnerability | High | 124196/125125 | |
| CVE-2020-11946 | Unauthenticated access to API key disclosure from a servlet call | High | 124188/125120 | |
| CVE-2020-11527 | File read vulnerability in Arbitrary file | High | 124181 | |
| CVE-2020-10541 | Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs | High | 124172 | |
| CVE-2019-17421 | Incorrect file permissions on the packaged Nipper executable file | Medium | 124079 and 124099 | |
| CVE-2019-17602 | SQL injection vulnerability | High | 124078/124089 | |
| CVE-2019-15106 | User login bypass vulnerability in APM plugin | High | 124062/124070 | |
| CVE-2017-11560 | HTML Injection vulnerability | Medium | 124033 | |
| Internal | An operator user could access some restricted folders by bypassing the session. | High | 123241 | |
| CVE-2018-20339 | XSS vulnerability in 'Alarms' and 'Notes'. | High | 123239 | |
| CVE-2018-20338 | SQL Injection vulnerability in 'Alarms'. | High | 123239 | |
| CVE-2018-20173 | SQL Injection vulnerability in performance monitors' graph. | High | 123238 | |
| CVE-2018-19921 | XSS vulnerability in adding/updating domain controller. | High | 123237 | |
| CVE-2018-19403 | Unauthenticated Remote Code Execution (RCE) vulnerability. | High | 123231 | |
| CVE-2018-19288 | XSS vulnerability in updating 'Widgets API'. | High | 123223 | |
| CVE-2018-18949 | SQL Injection vulnerability in 'Mail Server' settings. | High | 123222 | |
| CVE-2018-18980 | XML external entity vulnerability in 'Business view' page. | High | 123214 | |
| CVE-2018-18475 | Unrestricted file upload vulnerability in uploading a background image in 'Business view'. | High | 123214 | |
| CVE-2018-18262 | XSS vulnerability in 'Add Custom Category'. | High | 123214 | |
| CVE-2018-12997, CVE-2018-12998 | Injecting arbitrary web script or HTML via the parameter 'operation'. | High | 123169 | |
| CVE-2018-9088, CVE-2018-9087, CVE-2018-9089 | SQL Injection vulnerability in 'FailOverHelperServlet'. | High | 123157 | |
| CVE-2018-10803 | XSS vulnerability (Cross-site-scripting) in 'Add credentials' page. | High | 123122 | |
| CVE-2017-12617 | Uploading JSP file to server via 'HTTP PUT' method | High | 123046 |