VYPR

ManageEngine Service Plus

by Zoho

CVEs (95)

  • CVE-2022-25245MedApr 5, 2022
    risk 0.35cvss 5.3epss 0.01

    Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

  • CVE-2019-15045MedAug 21, 2019
    risk 0.35cvss 5.3epss 0.05

    AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality

  • CVE-2018-7248MedMay 11, 2018
    risk 0.35cvss 5.3epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists,…

  • CVE-2016-4890MedApr 14, 2017
    risk 0.35cvss 5.3epss 0.03

    ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.

  • CVE-2016-4888MedApr 14, 2017
    risk 0.35cvss 5.4epss 0.02

    Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

  • CVE-2023-29443MedApr 26, 2023
    risk 0.32cvss 4.9epss 0.03

    Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.

  • CVE-2022-40771MedNov 23, 2022
    risk 0.32cvss 4.9epss 0.03

    Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.

  • CVE-2020-6843MedJan 23, 2020
    risk 0.31cvss 4.8epss 0.02

    Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.

  • CVE-2022-28810MedKEVApr 18, 2022
    risk 0.21cvss 6.8epss 0.70

    Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this…

  • CVE-2024-27314LowMay 27, 2024
    risk 0.16cvss 2.4epss 0.02

    Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.

  • CVE-2010-3274Feb 17, 2011
    risk 0.05cvss epss 0.21

    Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or…

  • CVE-2015-1480Feb 4, 2015
    risk 0.04cvss epss 0.06

    ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)…

  • CVE-2015-1479Feb 4, 2015
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.

  • CVE-2010-3272Feb 17, 2011
    risk 0.03cvss epss 0.04

    accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…

  • CVE-2014-3779Jan 7, 2015
    risk 0.00cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.

Page 5 of 5