Servicedesk Plus
by Manageengine
CVEs (32)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-50053 | 0.00 | — | 0.01 | Mar 21, 2025 | Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature. | |||
| CVE-2024-41150 | 0.00 | — | 0.01 | Aug 23, 2024 | An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus:… | |||
| CVE-2023-6105 | 0.00 | — | 0.01 | Nov 15, 2023 | An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt… | |||
| CVE-2023-26600 | 0.00 | — | 0.06 | Mar 6, 2023 | ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. | |||
| CVE-2020-35682 | 0.00 | — | 0.07 | Mar 13, 2021 | Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). | |||
| CVE-2019-15046 | 0.00 | — | 0.05 | Aug 14, 2019 | Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. | |||
| CVE-2019-12133 | 0.00 | — | 0.02 | Jun 18, 2019 | Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current… | |||
| CVE-2017-9362 | 0.00 | — | 0.04 | Mar 25, 2019 | ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. | |||
| CVE-2017-9376 | 0.00 | — | 0.07 | Mar 25, 2019 | ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. | |||
| CVE-2011-1510 | 0.00 | — | 0.01 | Sep 20, 2011 | Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus (SDP) before 8012 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. | |||
| CVE-2011-1509 | 0.00 | — | 0.01 | Sep 20, 2011 | The encryptPassword function in Login.js in ManageEngine ServiceDesk Plus (SDP) 8012 and earlier uses a Caesar cipher for encryption of passwords in cookies, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. | |||
| CVE-2011-2756 | 0.00 | — | 0.02 | Jul 17, 2011 | FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors. |
- CVE-2024-50053Mar 21, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
- CVE-2024-41150Aug 23, 2024risk 0.00cvss —epss 0.01
An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus:…
- CVE-2023-6105Nov 15, 2023risk 0.00cvss —epss 0.01
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt…
- CVE-2023-26600Mar 6, 2023risk 0.00cvss —epss 0.06
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports.
- CVE-2020-35682Mar 13, 2021risk 0.00cvss —epss 0.07
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
- CVE-2019-15046Aug 14, 2019risk 0.00cvss —epss 0.05
Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
- CVE-2019-12133Jun 18, 2019risk 0.00cvss —epss 0.02
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current…
- CVE-2017-9362Mar 25, 2019risk 0.00cvss —epss 0.04
ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
- CVE-2017-9376Mar 25, 2019risk 0.00cvss —epss 0.07
ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.
- CVE-2011-1510Sep 20, 2011risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus (SDP) before 8012 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter.
- CVE-2011-1509Sep 20, 2011risk 0.00cvss —epss 0.01
The encryptPassword function in Login.js in ManageEngine ServiceDesk Plus (SDP) 8012 and earlier uses a Caesar cipher for encryption of passwords in cookies, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
- CVE-2011-2756Jul 17, 2011risk 0.00cvss —epss 0.02
FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors.
Page 2 of 2