VYPR

ManageEngine Service Plus

by Zoho

CVEs (95)

  • CVE-2023-23078MedFeb 1, 2023
    risk 0.40cvss 6.1epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.

  • CVE-2023-23077MedFeb 1, 2023
    risk 0.40cvss 6.1epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.

  • CVE-2023-23073MedFeb 1, 2023
    risk 0.40cvss 6.1epss 0.03

    Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

  • CVE-2022-24681MedApr 7, 2022
    risk 0.40cvss 6.1epss 0.04

    Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

  • CVE-2021-37416MedAug 30, 2021
    risk 0.40cvss 6.1epss 0.03

    Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

  • CVE-2021-27956MedMay 20, 2021
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

  • CVE-2021-27214MedFeb 19, 2021
    risk 0.40cvss 6.1epss 0.02

    A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative…

  • CVE-2019-18781MedDec 18, 2019
    risk 0.40cvss 6.1epss 0.02

    An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.

  • CVE-2019-12540MedJul 11, 2019
    risk 0.40cvss 6.1epss 0.02

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.

  • CVE-2019-12539MedJul 11, 2019
    risk 0.40cvss 6.1epss 0.03

    An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.

  • CVE-2019-8346MedMay 24, 2019
    risk 0.40cvss 6.1epss 0.04

    In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD…

  • CVE-2019-11511MedApr 25, 2019
    risk 0.40cvss 6.1epss 0.02

    Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.

  • CVE-2018-5799MedMar 30, 2018
    risk 0.40cvss 6.1epss 0.02

    In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.

  • CVE-2021-46065MedJan 27, 2022
    risk 0.39cvss 4.8epss 0.92

    A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

  • CVE-2021-31874MedJul 2, 2021
    risk 0.39cvss 5.9epss 0.04

    Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

  • CVE-2021-31159MedJun 16, 2021
    risk 0.39cvss 5.3epss 0.18

    Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.

  • CVE-2024-27310MedMay 27, 2024
    risk 0.35cvss 5.3epss 0.02

    Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.

  • CVE-2023-49943MedJan 18, 2024
    risk 0.35cvss 5.4epss 0.02

    Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

  • CVE-2023-34197MedJul 7, 2023
    risk 0.35cvss 5.4epss 0.04

    Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make…

  • CVE-2022-28987MedMay 20, 2022
    risk 0.35cvss 5.3epss 0.10

    Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.

Page 4 of 5