ManageEngine Service Plus
by Zoho
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-47966 | Cri | 0.93 | 9.8 | 1.00 | KEV | Jan 18, 2023 | Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application… | |
| CVE-2021-40539 | Cri | 0.93 | 9.8 | 0.99 | KEV | Sep 7, 2021 | Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | |
| CVE-2021-44077 | Cri | 0.86 | 9.8 | 0.94 | KEV | Nov 29, 2021 | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | |
| CVE-2021-37415 | Cri | 0.84 | 9.8 | 1.00 | KEV | Sep 1, 2021 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | |
| CVE-2021-28958 | Cri | 0.70 | 9.8 | 0.73 | Jun 25, 2021 | Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | ||
| CVE-2021-33055 | Cri | 0.65 | 9.8 | 0.18 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | ||
| CVE-2018-5353 | Cri | 0.65 | 9.8 | 0.11 | Sep 30, 2020 | The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable… | ||
| CVE-2020-24786 | Cri | 0.65 | 9.8 | 0.13 | Aug 31, 2020 | An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer… | ||
| CVE-2020-11518 | Cri | 0.65 | 9.8 | 0.19 | Apr 4, 2020 | Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. | ||
| CVE-2019-3905 | Cri | 0.65 | 10.0 | 0.03 | Jan 3, 2019 | Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. | ||
| CVE-2023-35854 | Cri | 0.64 | 9.8 | 0.06 | Jun 20, 2023 | Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is… | ||
| CVE-2021-44526 | Cri | 0.64 | 9.8 | 0.03 | Dec 23, 2021 | Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations. | ||
| CVE-2021-44675 | Cri | 0.64 | 9.8 | 0.06 | Dec 20, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required. | ||
| CVE-2021-37422 | Cri | 0.64 | 9.8 | 0.03 | Sep 10, 2021 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | ||
| CVE-2021-37423 | Cri | 0.64 | 9.8 | 0.03 | Sep 10, 2021 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | ||
| CVE-2021-37421 | Cri | 0.64 | 9.8 | 0.02 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | ||
| CVE-2021-37417 | Cri | 0.64 | 9.8 | 0.05 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | ||
| CVE-2021-31531 | Cri | 0.64 | 9.8 | 0.02 | Jun 29, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF). | ||
| CVE-2019-8395 | Cri | 0.64 | 9.8 | 0.07 | Feb 17, 2019 | An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | ||
| CVE-2018-20664 | Cri | 0.64 | 9.8 | 0.08 | Jan 3, 2019 | Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. |
- risk 0.93cvss 9.8epss 1.00
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application…
- risk 0.93cvss 9.8epss 0.99
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
- risk 0.86cvss 9.8epss 0.94
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
- risk 0.84cvss 9.8epss 1.00
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
- risk 0.70cvss 9.8epss 0.73
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
- risk 0.65cvss 9.8epss 0.18
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
- risk 0.65cvss 9.8epss 0.11
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable…
- risk 0.65cvss 9.8epss 0.13
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer…
- risk 0.65cvss 9.8epss 0.19
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
- risk 0.65cvss 10.0epss 0.03
Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
- risk 0.64cvss 9.8epss 0.06
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is…
- risk 0.64cvss 9.8epss 0.03
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
- risk 0.64cvss 9.8epss 0.06
Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.
- risk 0.64cvss 9.8epss 0.03
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
- risk 0.64cvss 9.8epss 0.03
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.
- risk 0.64cvss 9.8epss 0.02
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
- risk 0.64cvss 9.8epss 0.05
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
- risk 0.64cvss 9.8epss 0.02
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
- risk 0.64cvss 9.8epss 0.07
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
- risk 0.64cvss 9.8epss 0.08
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
Page 1 of 5