Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_servicedesk_plus
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 48 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081,... | Manageengine_access_manager_plus, Manageengine_ad360, Manageengine_adaudit_plus, Manageengine_admanager_plus, Manageengine_adselfservice_plus, Manageengine_analytics_plus, Manageengine_application_control_plus, Manageengine_assetexplorer, Manageengine_browser_security_plus, Manageengine_device_control_plus, Manageengine_endpoint_dlp_plus, Manageengine_key_manager_plus, Manageengine_os_deployer, Manageengine_pam360, Manageengine_password_manager_pro, Manageengine_patch_manager_plus, Manageengine_remote_access_plus, Manageengine_remote_monitoring_and_management_central, Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_supportcenter_plus, Manageengine_vulnerability_manager_plus | 9.8 | ||
| 2023-03-06 | CVE-2023-26600 | ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. | Manageengine_assetexplorer, Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_supportcenter_plus | 6.5 | ||
| 2023-11-15 | CVE-2023-6105 | An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. | Manageengine_access_manager_plus, Manageengine_adaudit_plus, Manageengine_admanager_plus, Manageengine_adselfservice_plus, Manageengine_analytics_plus, Manageengine_appcreator, Manageengine_application_control_plus, Manageengine_assetexplorer, Manageengine_browser_security_plus, Manageengine_cloud_security_plus, Manageengine_datasecurity_plus, Manageengine_device_control_plus, Manageengine_endpoint_central, Manageengine_endpoint_central_msp, Manageengine_endpoint_dlp_plus, Manageengine_exchange_reporter_plus, Manageengine_firewall_analyzer, Manageengine_log360_ueba, Manageengine_m365_manager_plus, Manageengine_m365_security_plus, Manageengine_mobile_device_manager_plus, Manageengine_netflow_analyzer, Manageengine_network_configuration_manager, Manageengine_opmanager, Manageengine_oputils, Manageengine_os_deployer, Manageengine_pam360, Manageengine_password_manager_pro, Manageengine_patch_connect_plus, Manageengine_patch_manager_plus, Manageengine_recoverymanager_plus, Manageengine_remote_access_plus, Manageengine_remote_monitoring_and_management, Manageengine_secure_gateway_server, Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_sharepoint_manager_plus, Manageengine_supportcenter_plus, Manageengine_vulnerability_manager_plus | 5.5 | ||
| 2019-02-17 | CVE-2019-8394 | Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | Manageengine_servicedesk_plus | 6.5 | ||
| 2021-11-29 | CVE-2021-44077 | Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. | Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_supportcenter_plus | 9.8 | ||
| 2021-09-01 | CVE-2021-37415 | Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication. | Manageengine_servicedesk_plus | 9.8 | ||
| 2023-04-26 | CVE-2023-29443 | Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExplorer before 6989 allow SDAdmin attackers to conduct XXE attacks via a crafted server that sends malformed XML from a Reports integration API endpoint. | Manageengine_assetexplorer, Manageengine_servicedesk_plus, Manageengine_servicedesk_plus_msp, Manageengine_supportcenter_plus | 4.9 | ||
| 2020-01-23 | CVE-2020-6843 | Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. | Manageengine_servicedesk_plus | 4.8 | ||
| 2020-05-18 | CVE-2020-13154 | Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. | Manageengine_servicedesk_plus | 6.5 | ||
| 2020-06-12 | CVE-2020-14048 | Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. | Manageengine_servicedesk_plus | 7.5 |