CVSS: 6.1EPSS: 35%CPEs: 276EXPL: 1CVE-2021-20080
https://notcve.org/view.php?id=CVE-2021-20080
09 Apr 2021 — Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. Un saneamiento de salida insuficiente en ManageEngine ServiceDesk Plus versiones anteriores a 11200 y ManageEngine AssetExplorer versiones anteriores a 6800, permite a un atacante remoto no autenticado conducir ataques de tipo cross-sit... • https://www.tenable.com/security/research/tra-2021-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 1CVE-2020-35682
https://notcve.org/view.php?id=CVE-2020-35682
13 Mar 2021 — Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11134, permite una omisión de autenticación (solo durante el inicio de sesión SAML) • https://github.com/its-arun/CVE-2020-35682 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 30%CPEs: 269EXPL: 0CVE-2020-14048
https://notcve.org/view.php?id=CVE-2020-14048
12 Jun 2020 — Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11.1, build 11115, permite a atacantes remotos no autenticados cambiar el estado de instalación de los agentes desplegados • https://gitlab.com/eLeN3Re/CVE-2020-14048 • CWE-306: Missing Authentication for Critical Function •
CVSS: 4.8EPSS: 4%CPEs: 1EXPL: 5CVE-2020-6843 – ZOHO ManageEngine ServiceDeskPlus 11.0 Build 11007 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-6843
22 Jan 2020 — Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 permite un ataque de cross-site scripting (XSS). Este problema se solucionó en la versión 11.0 Build 11010, SD-83959. ZOHO ManageEngine ServiceDeskPlus versions 11.0 Build 11007 and below suffer from a cross site scripting vulnerability. • https://packetstorm.news/files/id/156050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 3CVE-2019-15045 – Zoho Corporation ManageEngine ServiceDesk Plus Information Disclosure
https://notcve.org/view.php?id=CVE-2019-15045
21 Aug 2019 — AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality ** EN DISPUTA ** AjaxDomainServlet en Zoho ManageEngine ServiceDesk Plus versión 10 permite la enumeración de usuarios. NOTA: la posición del proveedor es que esta es la funcionalidad prevista. Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability. • https://packetstorm.news/files/id/154183 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 4CVE-2019-15046 – Zoho Corporation ManageEngine ServiceDesk Plus Information Disclosure
https://notcve.org/view.php?id=CVE-2019-15046
14 Aug 2019 — Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. Zoho ManageEngine ServiceDesk Plus 10 anteriores a la versión 10509, permite el filtrado de información confidencial no autenticada durante la replicación de Fail Over Service (FOS), también se conoce como SD-79989. Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability. • https://packetstorm.news/files/id/154183 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 1CVE-2019-12539
https://notcve.org/view.php?id=CVE-2019-12539
11 Jul 2019 — An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. Se detectó un problema en el componente Purchase de ManageEngine ServiceDesk Plus de Zoho. Se presenta un problema de tipo XSS por medio del campo de búsqueda SearchN.do, una vulnerabilidad diferente a CVE-2019-12189. • https://github.com/tarantula-team/Multiple-Cross-Site-Scripting-vulnerabilities-in-Zoho-ManageEngine • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 1CVE-2019-12540
https://notcve.org/view.php?id=CVE-2019-12540
11 Jul 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. Se detectó un problema en ManageEngine ServiceDesk Plus versión 10.5 de Zoho. Se presenta un problema de tipo XSS por medio del campo de búsqueda WorkOrder.do. • https://github.com/tarantula-team/Multiple-Cross-Site-Scripting-vulnerabilities-in-Zoho-ManageEngine • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 8%CPEs: 1EXPL: 2CVE-2019-12252 – Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions
https://notcve.org/view.php?id=CVE-2019-12252
21 May 2019 — In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. En Zoho ManageEngine ServiceDesk Plus hasta la versión 10.5, los usuarios con menos privilegios (guest) pueden ver una publicación arbitraria agregando su número al SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. Zoho ManageEngine ServiceDesk Plus... • https://packetstorm.news/files/id/153029 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 1CVE-2018-5799 – ManageEngine Service Desk Plus Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-5799
28 Mar 2018 — In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. En Zoho ManageEngine ServiceDesk Plus en versiones anteriores a la 9403, un problema Cross-Site Scripting (XSS) permite que un atacante ejecute código JavaScript arbitrario mediante un URI /api/request/?OPERATION_NAME=, también conocido como SD-69139. ManageEngine Service Desk Plus versions prior to 9403 suffer from a cross site scripting vulne... • https://packetstorm.news/files/id/146922 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •