VYPR

ManageEngine Service Plus

by Zoho

CVEs (95)

  • CVE-2021-31160HigJun 29, 2021
    risk 0.49cvss 7.5epss 0.04

    Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

  • CVE-2020-14048HigJun 12, 2020
    risk 0.49cvss 7.5epss 0.05

    Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.

  • CVE-2019-15046HigAug 14, 2019
    risk 0.49cvss 7.5epss 0.05

    Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.

  • CVE-2019-7161HigMar 21, 2019
    risk 0.49cvss 7.5epss 0.06

    An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.

  • CVE-2017-11511HigNov 8, 2017
    risk 0.49cvss 7.5epss 0.04

    The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files.

  • CVE-2019-12876HigJul 17, 2019
    risk 0.48cvss 7.3epss 0.05

    Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

  • CVE-2023-23074MedFeb 1, 2023
    risk 0.46cvss 6.1epss 0.84

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

  • CVE-2019-12252MedMay 21, 2019
    risk 0.46cvss 6.5epss 0.08

    In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

  • CVE-2019-12476MedJun 17, 2019
    risk 0.44cvss 6.8epss 0.02

    An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence…

  • CVE-2019-15083MedMay 14, 2020
    risk 0.43cvss 6.1epss 0.06

    Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine…

  • CVE-2019-12543MedJun 5, 2019
    risk 0.43cvss 6.1epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

  • CVE-2019-12542MedJun 5, 2019
    risk 0.43cvss 6.1epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

  • CVE-2019-12541MedJun 5, 2019
    risk 0.43cvss 6.1epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

  • CVE-2019-12538MedJun 5, 2019
    risk 0.43cvss 6.1epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

  • CVE-2019-12189MedMay 21, 2019
    risk 0.43cvss 6.1epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

  • CVE-2018-20485MedDec 26, 2018
    risk 0.43cvss 6.1epss 0.05

    Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.

  • CVE-2018-20484MedDec 26, 2018
    risk 0.43cvss 6.1epss 0.05

    Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

  • CVE-2022-40772MedNov 23, 2022
    risk 0.42cvss 6.5epss 0.03

    Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.

  • CVE-2021-37420MedSep 21, 2021
    risk 0.42cvss 6.5epss 0.02

    Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.

  • CVE-2020-13154MedMay 18, 2020
    risk 0.42cvss 6.5epss 0.03

    Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.