CVSS: 7.5EPSS: 0%CPEs: 48EXPL: 0CVE-2023-26601 – ManageEngine ServiceDesk Plus ImageUploadServlet Improper Input Validation Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-26601
Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of ManageEngine ServiceDesk Plus. Authentication is required to exploit this vulnerability. The specific flaw exists within the ImageUploadServlet. The issue results from the lack of proper input validation. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2023-26601.html • CWE-400: Uncontrolled Resource Consumption •
CVSS: 8.8EPSS: 0%CPEs: 80EXPL: 0CVE-2023-26600 – ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-26600
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper validation of user-supplied data. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2023-26600.html •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23074
https://notcve.org/view.php?id=CVE-2023-23074
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459195?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23074.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2023-23077
https://notcve.org/view.php?id=CVE-2023-23077
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. • https://bugbounty.zohocorp.com/bb/#/bug/101000006387693?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23077.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23078
https://notcve.org/view.php?id=CVE-2023-23078
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. • https://bugbounty.zohocorp.com/bb/#/bug/101000006458675?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23078.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •