An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.

An issue was discovered in ZOHO ManageEngine OpManager 12.2. An authenticated user can upload any file they want to share in the "Group Chat" or "Alarm" section. This functionality can be abused by a malicious user by uploading a web shell.

Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section.

Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section.

Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API.

Zoho ManageEngine OpManager 12.3 before 123237 has XSS in the domain controller.

Zoho ManageEngine OpManager 12.3 before 123219 has a Self XSS Vulnerability.

Zoho ManageEngine OpManager 12.3 before 123219 has stored XSS.

Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the updateWidget API.

An XML External Entity injection (XXE) vulnerability exists in Zoho ManageEngine Network Configuration Manager and OpManager before 12.3.214 via the RequestXML parameter in a /devices/ProcessRequest.do GET request. For example, the attacker can trigger the transmission of local files to an arbitrary remote FTP server.