ManageEngine Service Plus
by Zoho
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-23078 | Med | 0.40 | 6.1 | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. | ||
| CVE-2023-23077 | Med | 0.40 | 6.1 | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. | ||
| CVE-2023-23073 | Med | 0.40 | 6.1 | 0.03 | Feb 1, 2023 | Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. | ||
| CVE-2022-24681 | Med | 0.40 | 6.1 | 0.04 | Apr 7, 2022 | Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | ||
| CVE-2021-37416 | Med | 0.40 | 6.1 | 0.03 | Aug 30, 2021 | Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | ||
| CVE-2021-27956 | Med | 0.40 | 6.1 | 0.02 | May 20, 2021 | Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | ||
| CVE-2021-27214 | Med | 0.40 | 6.1 | 0.02 | Feb 19, 2021 | A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative… | ||
| CVE-2019-18781 | Med | 0.40 | 6.1 | 0.02 | Dec 18, 2019 | An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | ||
| CVE-2019-12540 | Med | 0.40 | 6.1 | 0.02 | Jul 11, 2019 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. | ||
| CVE-2019-12539 | Med | 0.40 | 6.1 | 0.03 | Jul 11, 2019 | An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. | ||
| CVE-2019-8346 | Med | 0.40 | 6.1 | 0.04 | May 24, 2019 | In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD… | ||
| CVE-2019-11511 | Med | 0.40 | 6.1 | 0.02 | Apr 25, 2019 | Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. | ||
| CVE-2018-5799 | Med | 0.40 | 6.1 | 0.02 | Mar 30, 2018 | In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. | ||
| CVE-2021-46065 | Med | 0.39 | 4.8 | 0.92 | Jan 27, 2022 | A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code. | ||
| CVE-2021-31874 | Med | 0.39 | 5.9 | 0.04 | Jul 2, 2021 | Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | ||
| CVE-2021-31159 | Med | 0.39 | 5.3 | 0.18 | Jun 16, 2021 | Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. | ||
| CVE-2024-27310 | Med | 0.35 | 5.3 | 0.02 | May 27, 2024 | Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. | ||
| CVE-2023-49943 | Med | 0.35 | 5.4 | 0.02 | Jan 18, 2024 | Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet. | ||
| CVE-2023-34197 | Med | 0.35 | 5.4 | 0.04 | Jul 7, 2023 | Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make… | ||
| CVE-2022-28987 | Med | 0.35 | 5.3 | 0.10 | May 20, 2022 | Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. |
- risk 0.40cvss 6.1epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets.
- risk 0.40cvss 6.1epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
- risk 0.40cvss 6.1epss 0.03
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
- risk 0.40cvss 6.1epss 0.04
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
- risk 0.40cvss 6.1epss 0.03
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
- risk 0.40cvss 6.1epss 0.02
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative…
- risk 0.40cvss 6.1epss 0.02
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
- risk 0.40cvss 6.1epss 0.02
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.
- risk 0.40cvss 6.1epss 0.03
An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.
- risk 0.40cvss 6.1epss 0.04
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD…
- risk 0.40cvss 6.1epss 0.02
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
- risk 0.40cvss 6.1epss 0.02
In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.
- risk 0.39cvss 4.8epss 0.92
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
- risk 0.39cvss 5.9epss 0.04
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.
- risk 0.39cvss 5.3epss 0.18
Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732.
- risk 0.35cvss 5.3epss 0.02
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
- risk 0.35cvss 5.4epss 0.02
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
- risk 0.35cvss 5.4epss 0.04
Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege escalation vulnerability in the Release module that allows unprivileged users to access the Reminders of a release ticket and make…
- risk 0.35cvss 5.3epss 0.10
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
Page 4 of 5