CVSS: 8.8EPSS: 0%CPEs: 80EXPL: 0CVE-2023-26600 – ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-26600
ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper validation of user-supplied data. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. • https://manageengine.com https://www.manageengine.com/products/service-desk/CVE-2023-26600.html •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23074
https://notcve.org/view.php?id=CVE-2023-23074
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459195?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23074.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 14EXPL: 0CVE-2023-23077
https://notcve.org/view.php?id=CVE-2023-23077
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. • https://bugbounty.zohocorp.com/bb/#/bug/101000006387693?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23077.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23078
https://notcve.org/view.php?id=CVE-2023-23078
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. • https://bugbounty.zohocorp.com/bb/#/bug/101000006458675?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23078.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23073
https://notcve.org/view.php?id=CVE-2023-23073
Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459171?tab=originator https://www.manageengine.com/products/service-desk/CVE-2023-23073.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •