ManageEngine Service Plus
by Zoho
CVEs (95)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-25245 | Med | 0.35 | 5.3 | 0.01 | Apr 5, 2022 | Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name. | ||
| CVE-2019-15045 | Med | 0.35 | 5.3 | 0.05 | Aug 21, 2019 | AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality | ||
| CVE-2018-7248 | Med | 0.35 | 5.3 | 0.06 | May 11, 2018 | An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists,… | ||
| CVE-2016-4890 | Med | 0.35 | 5.3 | 0.03 | Apr 14, 2017 | ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | ||
| CVE-2016-4888 | Med | 0.35 | 5.4 | 0.02 | Apr 14, 2017 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | ||
| CVE-2023-29443 | Med | 0.32 | 4.9 | 0.03 | Apr 26, 2023 | Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. | ||
| CVE-2022-40771 | Med | 0.32 | 4.9 | 0.03 | Nov 23, 2022 | Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure. | ||
| CVE-2020-6843 | Med | 0.31 | 4.8 | 0.02 | Jan 23, 2020 | Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. | ||
| CVE-2022-28810 | Med | 0.21 | 6.8 | 0.70 | KEV | Apr 18, 2022 | Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this… | |
| CVE-2024-27314 | Low | 0.16 | 2.4 | 0.02 | May 27, 2024 | Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users. | ||
| CVE-2010-3274 | 0.05 | — | 0.21 | Feb 17, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or… | |||
| CVE-2015-1480 | 0.04 | — | 0.06 | Feb 4, 2015 | ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)… | |||
| CVE-2015-1479 | 0.03 | — | 0.04 | Feb 4, 2015 | SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter. | |||
| CVE-2010-3272 | 0.03 | — | 0.04 | Feb 17, 2011 | accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)… | |||
| CVE-2014-3779 | 0.00 | — | 0.04 | Jan 7, 2015 | Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do. |
- risk 0.35cvss 5.3epss 0.01
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
- risk 0.35cvss 5.3epss 0.05
AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality
- risk 0.35cvss 5.3epss 0.06
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists,…
- risk 0.35cvss 5.3epss 0.03
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
- risk 0.35cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- risk 0.32cvss 4.9epss 0.03
Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint.
- risk 0.32cvss 4.9epss 0.03
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
- risk 0.31cvss 4.8epss 0.02
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
- risk 0.21cvss 6.8epss 0.70
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this…
- risk 0.16cvss 2.4epss 0.02
Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.
- CVE-2010-3274Feb 17, 2011risk 0.05cvss —epss 0.21
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or…
- CVE-2015-1480Feb 4, 2015risk 0.04cvss —epss 0.06
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)…
- CVE-2015-1479Feb 4, 2015risk 0.03cvss —epss 0.04
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
- CVE-2010-3272Feb 17, 2011risk 0.03cvss —epss 0.04
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…
- CVE-2014-3779Jan 7, 2015risk 0.00cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.
Page 5 of 5