ManageEngine Service Plus
by Zoho
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-31160 | Hig | 0.49 | 7.5 | 0.04 | Jun 29, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data. | ||
| CVE-2020-14048 | Hig | 0.49 | 7.5 | 0.05 | Jun 12, 2020 | Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | ||
| CVE-2019-15046 | Hig | 0.49 | 7.5 | 0.05 | Aug 14, 2019 | Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | ||
| CVE-2019-7161 | Hig | 0.49 | 7.5 | 0.06 | Mar 21, 2019 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. | ||
| CVE-2017-11511 | Hig | 0.49 | 7.5 | 0.04 | Nov 8, 2017 | The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. | ||
| CVE-2019-12876 | Hig | 0.48 | 7.3 | 0.05 | Jul 17, 2019 | Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. | ||
| CVE-2023-23074 | Med | 0.46 | 6.1 | 0.84 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. | ||
| CVE-2019-12252 | Med | 0.46 | 6.5 | 0.08 | May 21, 2019 | In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | ||
| CVE-2019-12476 | Med | 0.44 | 6.8 | 0.02 | Jun 17, 2019 | An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence… | ||
| CVE-2019-15083 | Med | 0.43 | 6.1 | 0.06 | May 14, 2020 | Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine… | ||
| CVE-2019-12543 | Med | 0.43 | 6.1 | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. | ||
| CVE-2019-12542 | Med | 0.43 | 6.1 | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. | ||
| CVE-2019-12541 | Med | 0.43 | 6.1 | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. | ||
| CVE-2019-12538 | Med | 0.43 | 6.1 | 0.06 | Jun 5, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. | ||
| CVE-2019-12189 | Med | 0.43 | 6.1 | 0.06 | May 21, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. | ||
| CVE-2018-20485 | Med | 0.43 | 6.1 | 0.05 | Dec 26, 2018 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. | ||
| CVE-2018-20484 | Med | 0.43 | 6.1 | 0.05 | Dec 26, 2018 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | ||
| CVE-2022-40772 | Med | 0.42 | 6.5 | 0.03 | Nov 23, 2022 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module. | ||
| CVE-2021-37420 | Med | 0.42 | 6.5 | 0.02 | Sep 21, 2021 | Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing. | ||
| CVE-2020-13154 | Med | 0.42 | 6.5 | 0.03 | May 18, 2020 | Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. |
- risk 0.49cvss 7.5epss 0.04
Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
- risk 0.49cvss 7.5epss 0.05
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
- risk 0.49cvss 7.5epss 0.05
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
- risk 0.49cvss 7.5epss 0.06
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
- risk 0.49cvss 7.5epss 0.04
The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.
- risk 0.48cvss 7.3epss 0.05
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
- risk 0.46cvss 6.1epss 0.84
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
- risk 0.46cvss 6.5epss 0.08
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.
- risk 0.44cvss 6.8epss 0.02
An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence…
- risk 0.43cvss 6.1epss 0.06
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine…
- risk 0.43cvss 6.1epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
- risk 0.43cvss 6.1epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
- risk 0.43cvss 6.1epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
- risk 0.43cvss 6.1epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
- risk 0.43cvss 6.1epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
- risk 0.43cvss 6.1epss 0.05
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
- risk 0.43cvss 6.1epss 0.05
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
- risk 0.42cvss 6.5epss 0.03
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
- risk 0.42cvss 6.5epss 0.02
Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.
- risk 0.42cvss 6.5epss 0.03
Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
Page 3 of 5