ManageEngine Service Plus
by Zoho
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2019-10008 | Hig | 0.62 | 8.8 | 0.20 | Apr 24, 2019 | Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect… | ||
| CVE-2019-8394 | Med | 0.62 | 6.5 | 0.64 | KEV | Feb 17, 2019 | Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | |
| CVE-2022-29457 | Hig | 0.61 | 8.8 | 0.08 | Apr 18, 2022 | Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. | ||
| CVE-2022-36413 | Cri | 0.59 | 9.1 | 0.03 | Mar 23, 2023 | Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. | ||
| CVE-2023-22964 | Cri | 0.59 | 9.1 | 0.02 | Jan 20, 2023 | Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. | ||
| CVE-2019-7162 | Cri | 0.59 | 9.1 | 0.04 | Dec 31, 2019 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. | ||
| CVE-2022-40773 | Hig | 0.58 | 8.8 | 0.05 | Nov 12, 2022 | Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view. | ||
| CVE-2020-35682 | Hig | 0.58 | 8.8 | 0.07 | Mar 13, 2021 | Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | ||
| CVE-2019-18411 | Hig | 0.57 | 8.8 | 0.02 | Nov 6, 2019 | Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the… | ||
| CVE-2016-4889 | Hig | 0.57 | 8.8 | 0.03 | Apr 14, 2017 | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | ||
| CVE-2023-28342 | Hig | 0.55 | 7.5 | 0.80 | Apr 5, 2023 | Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API. | ||
| CVE-2017-11512 | Hig | 0.55 | 7.5 | 0.80 | Nov 8, 2017 | The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. | ||
| CVE-2022-40770 | Hig | 0.53 | 7.2 | 0.83 | Nov 23, 2022 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users. | ||
| CVE-2023-26601 | Hig | 0.51 | 7.5 | 0.34 | Mar 6, 2023 | Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). | ||
| CVE-2022-41339 | Hig | 0.51 | 7.8 | 0.01 | Nov 12, 2022 | In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation. | ||
| CVE-2019-12133 | Hig | 0.51 | 7.8 | 0.02 | Jun 18, 2019 | Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current… | ||
| CVE-2022-34829 | Hig | 0.49 | 7.5 | 0.04 | Jul 4, 2022 | Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | ||
| CVE-2022-32551 | Hig | 0.49 | 7.5 | 0.03 | Jul 2, 2022 | Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml). | ||
| CVE-2021-37419 | Hig | 0.49 | 7.5 | 0.02 | Sep 21, 2021 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF. | ||
| CVE-2021-31530 | Hig | 0.49 | 7.5 | 0.03 | Jun 29, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure. |
- risk 0.62cvss 8.8epss 0.20
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect…
- risk 0.62cvss 6.5epss 0.64
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
- risk 0.61cvss 8.8epss 0.08
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
- risk 0.59cvss 9.1epss 0.03
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
- risk 0.59cvss 9.1epss 0.02
Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled.
- risk 0.59cvss 9.1epss 0.04
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
- risk 0.58cvss 8.8epss 0.05
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
- risk 0.58cvss 8.8epss 0.07
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
- risk 0.57cvss 8.8epss 0.02
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the…
- risk 0.57cvss 8.8epss 0.03
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
- risk 0.55cvss 7.5epss 0.80
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
- risk 0.55cvss 7.5epss 0.80
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
- risk 0.53cvss 7.2epss 0.83
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
- risk 0.51cvss 7.5epss 0.34
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
- risk 0.51cvss 7.8epss 0.01
In Zoho ManageEngine Mobile Device Manager Plus before 10.1.2207.5, the User Administration module allows privilege escalation.
- risk 0.51cvss 7.8epss 0.02
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current…
- risk 0.49cvss 7.5epss 0.04
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
- risk 0.49cvss 7.5epss 0.03
Zoho ManageEngine ServiceDesk Plus MSP before 10604 allows path traversal (to WEBINF/web.xml from sample/WEB-INF/web.xml or sample/META-INF/web.xml).
- risk 0.49cvss 7.5epss 0.02
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to SSRF.
- risk 0.49cvss 7.5epss 0.03
Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.
Page 2 of 5