ManageEngine ServiceDesk Plus MSP

CVEs (18)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2016-4889	Zohocorp Servicedesk Plus	Hig	0.58	8.8	0.04		Apr 14, 2017	ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
CVE-2016-4890	Zohocorp Servicedesk Plus	Med	0.35	5.3	0.03		Apr 14, 2017	ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
CVE-2016-4888	Zohocorp Servicedesk Plus	Med	0.35	5.4	0.02		Apr 14, 2017	Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2021-44077	Zohocorp ManageEngine ServiceDesk Plus MSP		0.23	—	0.94	KEV	Nov 29, 2021	Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
CVE-2019-8394	Zohocorp ManageEngine ServiceDesk Plus MSP		0.22	—	0.88	KEV	Feb 17, 2019	Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2021-37415	Zohocorp ManageEngine ServiceDesk Plus MSP		0.19	—	0.93	KEV	Sep 1, 2021	Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
CVE-2015-1479	Zohocorp Servicedesk Plus		0.04	—	0.11		Feb 4, 2015	SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
CVE-2021-31160	Zohocorp ManageEngine ServiceDesk Plus MSP		0.01	—	0.10		Jun 29, 2021	Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
CVE-2025-3444	Manageengine Servicedesk Plus		0.00	—	0.01		May 22, 2025	Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
CVE-2024-50053	Manageengine Servicedesk Plus		0.00	—	0.00		Mar 21, 2025	Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
CVE-2024-41150	Manageengine Servicedesk Plus		0.00	—	0.01		Aug 23, 2024	An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus:…
CVE-2024-27314	Manageengine Supportcenter Plus		0.00	—	0.03		May 27, 2024	Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.
CVE-2023-49943	Zohocorp ManageEngine ServiceDesk Plus MSP		0.00	—	0.01		Jan 18, 2024	Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
CVE-2022-40771	Zohocorp ManageEngine ServiceDesk Plus MSP		0.00	—	0.01		Nov 23, 2022	Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
CVE-2022-40772	Zohocorp ManageEngine ServiceDesk Plus MSP		0.00	—	0.01		Nov 23, 2022	Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
CVE-2022-40773	Manageengine Supportcenter Plus		0.00	—	0.01		Nov 12, 2022	Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
CVE-2021-31531	Zohocorp ManageEngine ServiceDesk Plus MSP		0.00	—	0.06		Jun 29, 2021	Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
CVE-2021-31530	Zohocorp ManageEngine ServiceDesk Plus MSP		0.00	—	0.04		Jun 29, 2021	Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.

CVE-2016-4889HigApr 14, 2017
Zohocorp
Servicedesk Plus
risk 0.58cvss 8.8epss 0.04
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
CVE-2016-4890MedApr 14, 2017
Zohocorp
Servicedesk Plus
risk 0.35cvss 5.3epss 0.03
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
CVE-2016-4888MedApr 14, 2017
Zohocorp
Servicedesk Plus
risk 0.35cvss 5.4epss 0.02
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2021-44077KEVNov 29, 2021
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.23cvss —epss 0.94
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
CVE-2019-8394KEVFeb 17, 2019
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.22cvss —epss 0.88
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2021-37415KEVSep 1, 2021
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.19cvss —epss 0.93
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
CVE-2015-1479Feb 4, 2015
Zohocorp
Servicedesk Plus
risk 0.04cvss —epss 0.11
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter.
CVE-2021-31160Jun 29, 2021
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.01cvss —epss 0.10
Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
CVE-2025-3444May 22, 2025
Manageengine
Servicedesk Plus
risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
CVE-2024-50053Mar 21, 2025
Manageengine
Servicedesk Plus
risk 0.00cvss —epss 0.00
Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
CVE-2024-41150Aug 23, 2024
Manageengine
Servicedesk Plus
risk 0.00cvss —epss 0.01
An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus:…
CVE-2024-27314May 27, 2024
Manageengine
Supportcenter Plus
risk 0.00cvss —epss 0.03
Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.
CVE-2023-49943Jan 18, 2024
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.00cvss —epss 0.01
Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.
CVE-2022-40771Nov 23, 2022
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.00cvss —epss 0.01
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information Disclosure.
CVE-2022-40772Nov 23, 2022
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.00cvss —epss 0.01
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive data via the report module.
CVE-2022-40773Nov 12, 2022
Manageengine
Supportcenter Plus
risk 0.00cvss —epss 0.01
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an exportMickeyList export of requests from the list view.
CVE-2021-31531Jun 29, 2021
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.00cvss —epss 0.06
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
CVE-2021-31530Jun 29, 2021
Zohocorp
ManageEngine ServiceDesk Plus MSP
risk 0.00cvss —epss 0.04
Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.