Zohocorp Manageengine Servicedesk Plus — known CVE vulnerabilities
Every CVE whose affected-product data names Zohocorp Manageengine Servicedesk Plus, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2021-44526 — CVSS 9.8 (critical): Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.
CVE-2019-8395 — CVSS 9.8 (critical): An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an…
CVE-2017-9362 — CVSS 8.8 (high): ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.
CVE-2020-35682 — CVSS 8.8 (high): Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).
CVE-2024-38869 — CVSS 8.3 (high): Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue…
CVE-2023-35785 — CVSS 8.1 (high): Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset Explorer…
CVE-2019-12133 — CVSS 7.8 (high): Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine…
CVE-2021-31160 — CVSS 7.5 (high): Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
CVE-2022-35403 — CVSS 7.5 (high): Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an…
CVE-2023-26601 — CVSS 7.5 (high): Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus…
CVE-2020-14048 — CVSS 7.5 (high): Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of…
CVE-2019-15046 — CVSS 7.5 (high): Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS)…
CVE-2021-20081 — CVSS 7.2 (high): Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to…
CVE-2022-40770 — CVSS 7.2 (high): Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploited by…
CVE-2023-26600 — CVSS 6.5 (medium): ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer…
CVE-2022-40772 — CVSS 6.5 (medium): Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sensitive…
CVE-2020-13154 — CVSS 6.5 (medium): Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password…
CVE-2019-12252 — CVSS 6.5 (medium): In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its…
CVE-2017-9376 — CVSS 6.5 (medium): ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do…
CVE-2024-41150 — CVSS 6.3 (medium): An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and…
CVE-2024-50053 — CVSS 6.3 (medium): Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are…
CVE-2023-23074 — CVSS 6.1 (medium): Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.
CVE-2018-5799 — CVSS 6.1 (medium): In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION…
CVE-2019-12189 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
CVE-2019-12538 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.
CVE-2019-12539 — CVSS 6.1 (medium): An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a…
CVE-2019-12540 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.
CVE-2019-12541 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.
CVE-2019-12542 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
CVE-2019-12543 — CVSS 6.1 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
CVE-2019-15083 — CVSS 6.1 (medium): Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local…
CVE-2021-20080 — CVSS 6.1 (medium): Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800…
CVE-2023-23073 — CVSS 6.1 (medium): Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.
CVE-2023-23077 — CVSS 6.1 (medium): Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment.
CVE-2023-23078 — CVSS 6.1 (medium): Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in…
CVE-2023-6105 — CVSS 5.5 (medium): An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A…
CVE-2023-34197 — CVSS 5.4 (medium): Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a privilege…
CVE-2018-7248 — CVSS 5.3 (medium): An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user…
CVE-2022-25245 — CVSS 5.3 (medium): Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.
CVE-2019-15045 — CVSS 5.3 (medium): AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended…
CVE-2023-29443 — CVSS 4.9 (medium): Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer…
CVE-2022-40771 — CVSS 4.9 (medium): Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Information…
CVE-2020-6843 — CVSS 4.8 (medium): Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
CVE-2021-46065 — CVSS 4.8 (medium): A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an…
CVE-2019-10273 — CVSS 4.3 (medium): Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to…
CVE-2024-27314 — CVSS 2.4 (low): Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable…