This page contains a list of all security vulnerabilities fixed in OpUtils along with its CVE id and fixed build number. Go to ManageEngine's Security Response Center to report vulnerabilities on ManageEngine products.
| CVE ID | Synopsis | Severity | Fixed in version | Link to latest build |
|---|---|---|---|---|
| CVE-2023-47211 | Earlier, path traversal vulnerability was detected for MIB browser. This issue has now been fixed by implementing path sanitization. | High | 127193 / 127194 / 127248 / 127260 | Download |
| CVE-2022-37024 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv6 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 125658 / 126105 / 126120/ 126003 | |
| CVE-2022-38772 | Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now. | Critical | 125658 / 126105 / 126120 / 126003 | |
| CVE-2022-36923 | A vulnerability resulted in unauthenticated access of the user API key. This issue has been fixed now. (Reported by Anonymous working with Trend Micro Zero Day Initiative) | Critical | 125657 / 126002 / 126104 / 126118 | |
| CVE-2021-44514 | Mishandled audit directories in very few OpUtils' modules. | High | 125474/125490 | |
| CVE-2021-3287 | Unauthenticated Remote Code Execution (RCE) vulnerability due to general bypass for the deserialization class. | Critical | 125220/125314 | |
| CVE-2020-28653 | Unauthenticated Remote Code Execution (RCE) vulnerability in the Smart Update Manager (SUM) servlet. | High | 125203 / 125218 | |
| CVE-2020-13818 | Directory Traversal validation was being bypassed when using <cachestart>. | High | 125144 | |
| CVE-2020-12116 | Path Traversal vulnerability | High | 124196/125125 | |
| CVE-2020-11946 | Unauthenticated access to API key disclosure from a servlet call | High | 124188/125120 | |
| CVE-2020-11527 | File read vulnerability in Arbitrary file | High | 124181 | |
| CVE-2020-10541 | The obsolete code causing Remote Code Execution (RCE) vulnerability in Mail Server Settings v1 APIs have been removed. | High | 124172 | |
| CVE-2019-17421 | Incorrect file permissions on the packaged Nipper executable file | Medium | 124079 and 124099 | |
| Internal | An operator user could access some restricted folders by bypassing the session. | High | 123241 | |
| CVE-2018-19403 | Unauthenticated Remote Code Execution (RCE) vulnerability | High | 123231 | |
| CVE-2018-17283 | The 'oputilsServlet' which was previously unauthenticated has now been removed. | High | 123196 | |
| CVE-2018-12997, CVE-2018-12998 | It allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | High | 123169 |