VYPR

ManageEngine Service Plus

by Zoho

CVEs (95)

  • CVE-2022-47966CriKEVJan 18, 2023
    risk 0.93cvss 9.8epss 1.00

    Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application…

  • CVE-2021-40539CriKEVSep 7, 2021
    risk 0.93cvss 9.8epss 0.99

    Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

  • CVE-2021-44077CriKEVNov 29, 2021
    risk 0.86cvss 9.8epss 0.94

    Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

  • CVE-2021-37415CriKEVSep 1, 2021
    risk 0.84cvss 9.8epss 1.00

    Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.

  • CVE-2021-28958CriJun 25, 2021
    risk 0.70cvss 9.8epss 0.73

    Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.

  • CVE-2021-33055CriAug 30, 2021
    risk 0.65cvss 9.8epss 0.18

    Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

  • CVE-2018-5353CriSep 30, 2020
    risk 0.65cvss 9.8epss 0.11

    The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable…

  • CVE-2020-24786CriAug 31, 2020
    risk 0.65cvss 9.8epss 0.13

    An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer…

  • CVE-2020-11518CriApr 4, 2020
    risk 0.65cvss 9.8epss 0.19

    Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.

  • CVE-2019-3905CriJan 3, 2019
    risk 0.65cvss 10.0epss 0.03

    Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

  • CVE-2023-35854CriJun 20, 2023
    risk 0.64cvss 9.8epss 0.06

    Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is…

  • CVE-2021-44526CriDec 23, 2021
    risk 0.64cvss 9.8epss 0.03

    Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

  • CVE-2021-44675CriDec 20, 2021
    risk 0.64cvss 9.8epss 0.06

    Zoho ManageEngine ServiceDesk Plus MSP before 10.5 Build 10534 is vulnerable to unauthenticated remote code execution due to a filter bypass in which authentication is not required.

  • CVE-2021-37422CriSep 10, 2021
    risk 0.64cvss 9.8epss 0.03

    Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

  • CVE-2021-37423CriSep 10, 2021
    risk 0.64cvss 9.8epss 0.03

    Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.

  • CVE-2021-37421CriAug 30, 2021
    risk 0.64cvss 9.8epss 0.02

    Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

  • CVE-2021-37417CriAug 30, 2021
    risk 0.64cvss 9.8epss 0.05

    Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

  • CVE-2021-31531CriJun 29, 2021
    risk 0.64cvss 9.8epss 0.02

    Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).

  • CVE-2019-8395CriFeb 17, 2019
    risk 0.64cvss 9.8epss 0.07

    An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

  • CVE-2018-20664CriJan 3, 2019
    risk 0.64cvss 9.8epss 0.08

    Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

Page 1 of 5