Zohocorp Manageengine Servicedesk Plus vulnerabilities

CVE-2019-12541 [MEDIUM] CWE-79 CVE-2019-12541: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSear An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

CVE-2019-12189 [MEDIUM] CWE-79 CVE-2019-12189: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do s An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

CVE-2019-12252 [MEDIUM] CWE-639 CVE-2019-12252: In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can vie In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.

CVE-2019-10273 [MEDIUM] CWE-287 CVE-2019-10273: Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 softwar Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

CVE-2017-9362 [HIGH] CWE-611 CVE-2017-9362: ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.

CVE-2017-9376 [MEDIUM] CWE-20 CVE-2017-9376: ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defMo ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do.

CVE-2019-8395 [CRITICAL] CWE-22 CVE-2019-8395: An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plu An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

CVE-2019-8394 [MEDIUM] CWE-434 CVE-2019-8394: Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload a Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

CVE-2018-7248 [MEDIUM] CVE-2018-7248: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

CVE-2018-5799 [MEDIUM] CWE-79 CVE-2018-5799: In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.