Manageengine Servicedesk Plus

manageengine_servicedesk_plus

Vendor: Zohocorp • 50 CVEs

CVEs (50)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2021-46065 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jan 27, 2022 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
CVE-2021-44526 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Dec 23, 2021 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
CVE-2021-44077 1Zohocorp 3Manageengine Servicedesk Plus Manageengine Servicedesk Plus MspManageengine Supportcenter Plus Oct 31, 2025 Nov 29, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servl...Show more Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.Show less
CVE-2021-37415 1Zohocorp 1Manageengine Servicedesk Plus Oct 31, 2025 Sep 1, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
CVE-2021-31160 1Zohocorp 2Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp May 30, 2025 Jun 29, 2021 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
CVE-2021-20081 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jun 10, 2021 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
CVE-2021-20080 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Apr 9, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripti...Show more Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.Show less
CVE-2020-35682 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Mar 13, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
CVE-2020-14048 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jun 12, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents.
CVE-2020-13154 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 May 18, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet.
CVE-2019-15083 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 May 14, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local...Show more Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.Show less
CVE-2020-6843 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jan 23, 2020 N/A· v4 4.8 MEDIUM· v3 3.5 LOW· v2 Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
CVE-2019-15045 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Aug 21, 2019 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality
CVE-2019-15046 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Aug 14, 2019 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989.
CVE-2019-12540 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jul 11, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.
CVE-2019-12539 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jul 11, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189.
CVE-2019-12133 1Zohocorp 18Manageengine Analytics Plus Manageengine Browser Security PlusManageengine Desktop Central+15 more Nov 21, 2024 Jun 18, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said product...Show more Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.Show less
CVE-2019-12543 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jun 5, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
CVE-2019-12542 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jun 5, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
CVE-2019-12541 1Zohocorp 1Manageengine Servicedesk Plus Nov 21, 2024 Jun 5, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

Previous 123 Next