Zohocorp Manageengine Servicedesk Plus vulnerabilities
50 known vulnerabilities affecting zohocorp/manageengine_servicedesk_plus.
Total CVEs
50
CISA KEV
4
actively exploited
Public exploits
12
Exploited in wild
4
Severity breakdown
CRITICAL5HIGH11MEDIUM33LOW1
Vulnerabilities
Page 1 of 3
CVE-2022-47966P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 14.0v14.02023-01-18
CVE-2022-47966 [CRITICAL] CWE-20 CVE-2022-47966: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications
nvd
CVE-2021-37415P1CRITICALCVSS 9.8KEVPoCv11.0v11.1+2 more2021-09-01
CVE-2021-37415 [CRITICAL] CWE-306 CVE-2021-37415: Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
nvd
CVE-2021-44077P1CRITICALCVSS 9.8KEVPoCfixed in 11.1v11.1+2 more2021-11-29
CVE-2021-44077 [CRITICAL] CWE-306 CVE-2021-44077: Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCente
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.
nvd
CVE-2019-8394P1MEDIUMCVSS 6.5KEVPoCfixed in 10.0.0v10.0.02019-02-17
CVE-2019-8394 [MEDIUM] CWE-434 CVE-2019-8394: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload a
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
nvd
CVE-2022-40770P2HIGHCVSS 7.2fixed in 13.0v13.02022-11-23
CVE-2022-40770 [HIGH] CWE-77 CVE-2022-40770: Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command
Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by high-privileged users.
nvd
CVE-2021-20081P2HIGHCVSS 7.2fixed in 11.2v11.2+1 more2021-06-10
CVE-2021-20081 [HIGH] CVE-2021-20081: Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a
Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.
nvd
CVE-2019-12252P3MEDIUMCVSS 6.5PoC≤ 10.52019-05-21
CVE-2019-12252 [MEDIUM] CWE-639 CVE-2019-12252: In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can vie
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.
nvd
CVE-2019-15083P3MEDIUMCVSS 6.1PoCv10.0.02020-05-14
CVE-2019-15083 [MEDIUM] CWE-79 CVE-2019-15083: Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > > software" the adminis
nvd
CVE-2020-35682P2HIGHCVSS 8.8fixed in 11.1v11.12021-03-13
CVE-2020-35682 [HIGH] CWE-863 CVE-2020-35682: Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML lo
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
nvd
CVE-2019-12543P3MEDIUMCVSS 6.1PoCv9.32019-06-05
CVE-2019-12543 [MEDIUM] CWE-79 CVE-2019-12543: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequ
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
nvd
CVE-2019-12542P3MEDIUMCVSS 6.1PoCv9.32019-06-05
CVE-2019-12542 [MEDIUM] CWE-79 CVE-2019-12542: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do u
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
nvd
CVE-2019-12541P3MEDIUMCVSS 6.1PoCv9.32019-06-05
CVE-2019-12541 [MEDIUM] CWE-79 CVE-2019-12541: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSear
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
nvd
CVE-2021-44526P2CRITICALCVSS 9.8v8.1v8.2+13 more2021-12-23
CVE-2021-44526 [CRITICAL] CVE-2021-44526: Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin config
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
nvd
CVE-2021-20080P3MEDIUMCVSS 6.1v8.1v8.2+11 more2021-04-09
CVE-2021-20080 [MEDIUM] CWE-79 CVE-2021-20080: Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEng
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.
nvd
CVE-2019-12538P3MEDIUMCVSS 6.1PoCv9.32019-06-05
CVE-2019-12538 [MEDIUM] CWE-79 CVE-2019-12538: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.d
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
nvd
CVE-2019-12189P3MEDIUMCVSS 6.1PoCv9.32019-05-21
CVE-2019-12189 [MEDIUM] CWE-79 CVE-2019-12189: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do s
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
nvd
CVE-2023-26601P3HIGHCVSS 7.5fixed in 14.1v14.12023-03-06
CVE-2023-26601 [HIGH] CWE-400 CVE-2023-26601: Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).
nvd
CVE-2023-23074P3MEDIUMCVSS 6.1v14.02023-02-01
CVE-2023-23074 [MEDIUM] CWE-79 CVE-2023-23074: Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding vide
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
nvd
CVE-2019-8395P3CRITICALCVSS 9.8fixed in 10.02019-02-17
CVE-2019-8395 [CRITICAL] CWE-22 CVE-2019-8395: An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plu
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
nvd
CVE-2019-10273P4MEDIUMCVSS 4.3PoCv9.32019-04-04
CVE-2019-10273 [MEDIUM] CWE-287 CVE-2019-10273: Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 softwar
Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.
nvd
1 / 3Next →