VYPR

ManageEngine Service Plus

by Zoho

CVEs (95)

  • CVE-2019-10008HigApr 24, 2019
    risk 0.62cvss 8.8epss 0.20

    Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect…

  • CVE-2019-8394MedKEVFeb 17, 2019
    risk 0.62cvss 6.5epss 0.64

    Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

  • CVE-2022-29457HigApr 18, 2022
    risk 0.61cvss 8.8epss 0.08

    Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.

  • CVE-2022-36413CriMar 23, 2023
    risk 0.59cvss 9.1epss 0.03

    Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.

  • CVE-2023-22964CriJan 20, 2023
    risk 0.59cvss 9.1epss 0.02

    Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.

  • CVE-2019-7162CriDec 31, 2019
    risk 0.59cvss 9.1epss 0.04

    An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.

  • CVE-2022-40773HigNov 12, 2022
    risk 0.58cvss 8.8epss 0.05

    Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.

  • CVE-2020-35682HigMar 13, 2021
    risk 0.58cvss 8.8epss 0.07

    Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

  • CVE-2019-18411HigNov 6, 2019
    risk 0.57cvss 8.8epss 0.02

    Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the…

  • CVE-2016-4889HigApr 14, 2017
    risk 0.57cvss 8.8epss 0.03

    ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.

  • CVE-2023-28342HigApr 5, 2023
    risk 0.55cvss 7.5epss 0.80

    Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.

  • CVE-2017-11512HigNov 8, 2017
    risk 0.55cvss 7.5epss 0.80

    The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

  • CVE-2022-40770HigNov 23, 2022
    risk 0.53cvss 7.2epss 0.83

    Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

  • CVE-2023-26601HigMar 6, 2023
    risk 0.51cvss 7.5epss 0.34

    Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

  • CVE-2022-41339HigNov 12, 2022
    risk 0.51cvss 7.8epss 0.01

    In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.

  • CVE-2019-12133HigJun 18, 2019
    risk 0.51cvss 7.8epss 0.02

    Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current…

  • CVE-2022-34829HigJul 4, 2022
    risk 0.49cvss 7.5epss 0.04

    Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.

  • CVE-2022-32551HigJul 2, 2022
    risk 0.49cvss 7.5epss 0.03

    Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).

  • CVE-2021-37419HigSep 21, 2021
    risk 0.49cvss 7.5epss 0.02

    Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.

  • CVE-2021-31530HigJun 29, 2021
    risk 0.49cvss 7.5epss 0.03

    Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.

Page 2 of 5