VYPR

Servicedesk Plus

by Manageengine

CVEs (32)

  • CVE-2014-5301HigAug 28, 2017
    risk 0.66cvss 8.8epss 0.78

    Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4.

  • CVE-2014-5302HigAug 28, 2017
    risk 0.58cvss 8.8epss 0.11

    Directory traversal vulnerability in ServiceDesk Plus and Plus MSP v5 through v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4 allows remote authenticated users to execute arbitrary code.

  • CVE-2025-8309HigAug 20, 2025
    risk 0.53cvss 8.1epss 0.00

    There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. This vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions…

  • CVE-2008-1299MedMar 12, 2008
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the…

  • CVE-2022-47966KEVJan 18, 2023
    risk 0.29cvss epss 1.00

    Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application…

  • CVE-2011-2757Jul 17, 2011
    risk 0.06cvss epss 0.39

    Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue.

  • CVE-2022-40770Nov 23, 2022
    risk 0.05cvss epss 0.83

    Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.

  • CVE-2021-20081Jun 10, 2021
    risk 0.05cvss epss 0.52

    Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.

  • CVE-2011-2755Jul 17, 2011
    risk 0.05cvss epss 0.31

    Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors.

  • CVE-2019-10273Apr 4, 2019
    risk 0.04cvss epss 0.08

    Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

  • CVE-2015-1480Feb 4, 2015
    risk 0.04cvss epss 0.06

    ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4)…

  • CVE-2019-15083May 14, 2020
    risk 0.03cvss epss 0.06

    Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine…

  • CVE-2019-12538Jun 5, 2019
    risk 0.03cvss epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

  • CVE-2019-12541Jun 5, 2019
    risk 0.03cvss epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

  • CVE-2019-12543Jun 5, 2019
    risk 0.03cvss epss 0.06

    An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

  • CVE-2019-12252May 21, 2019
    risk 0.03cvss epss 0.08

    In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

  • CVE-2012-2585Aug 12, 2012
    risk 0.03cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS…

  • CVE-2023-26601Mar 6, 2023
    risk 0.01cvss epss 0.34

    Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

  • CVE-2021-20080Apr 9, 2021
    risk 0.01cvss epss 0.93

    Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

  • CVE-2025-3444May 22, 2025
    risk 0.00cvss epss 0.01

    Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.

Page 1 of 2