This page contains a list of all security vulnerabilities fixed in OpUtils along with its CVE id and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.
| CVE ID | Synopsis | Severity | Fixed in version | Link to latest build |
|---|---|---|---|---|
| ZVE-2025-3566 | Previously, a Stored Cross-Site Scripting (XSS) vulnerability was identified in the IP Address Manager module of OpManager, NetFlow Analyzer, and OpUtils (versions prior to 12.8.582). This issue has now been resolved.(Reported by tuannq x ngockhanhc311). | Medium | 128582 / 128465 / 128570 | Download |
| ZVE-2024-1132 | Previously, CSRF vulnerability (ZVE-2024-1132) was detected where the external users were able to utilize the network tools without authentication to perform ping or SNMP ping on network devices. This has now been fixed. (Reported by Jayateertha Guruprasad). | Medium | 128103/128247 | |
| CVE-2023-47211 | Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. | High | 127193 / 127194 / 127248 / 127260 | |
| CVE-2022-37024 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 125658 / 126105 / 126120/ 126003 | |
| CVE-2022-38772 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 125658 / 126105 / 126120 / 126003 | |
| CVE-2022-36923 | A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) | Critical | 125657 / 126002 / 126104 / 126118 | |
| CVE-2021-44514 | Mishandled audit directories in very few OpUtils' modules. | High | 125474/125490 | |
| CVE-2021-3287 | Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. | Critical | 125220/125314 | |
| CVE-2020-28653 | Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. | High | 125203 / 125218 | |
| CVE-2020-13818 | Directory Traversal validation was being bypassed when using <cachestart>. | High | 125144 | |
| CVE-2020-12116 | Path Traversal vulnerability | High | 124196/125125 | |
| CVE-2020-11946 | Unauthenticated access to API key disclosure from a servlet call | High | 124188/125120 | |
| CVE-2020-11527 | File read vulnerability in Arbitrary file | High | 124181 | |
| CVE-2020-10541 | The obsolete code causing Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs have been removed. | High | 124172 | |
| CVE-2019-17421 | Incorrect file permissions on the packaged Nipper executable file | Medium | 124079 and 124099 | |
| Internal | An operator user could access some restricted folders by bypassing the session. | High | 123241 | |
| CVE-2018-19403 | Unauthenticated Remote Code Execution (RCE) vulnerability | High | 123231 | |
| CVE-2018-17283 | The 'oputilsServlet' which was previously unauthenticated has now been removed. | High | 123196 | |
| CVE-2018-12997, CVE-2018-12998 | It allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | High | 123169 |