A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

An issue was discovered in ZOHO ManageEngine Applications Manager 12.3. It is possible for an unauthenticated user to view the list of domain names and usernames used in a company's network environment via a userconfiguration.do?method=editUser request.