CVSS: 7.5EPSS: 0%CPEs: 65EXPL: 0CVE-2022-35403
https://notcve.org/view.php?id=CVE-2022-35403
Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.) Zoho ManageEngine ServiceDesk Plus versiones anteriores a 13008, ServiceDesk Plus MSP versiones anteriores a 10606 y SupportCenter Plus versiones anteriores a 11022 están afectados por una vulnerabilidad de divulgación de archivos locales sin autenticación por medio del correo electrónico de creación de tickets. (Esto también afecta a Asset Explorer versiones anteriores a 6977 con autenticación) • https://www.manageengine.com/products/service-desk/cve-2022-35403.html •
CVSS: 5.4EPSS: 0%CPEs: 22EXPL: 1CVE-2022-25373
https://notcve.org/view.php?id=CVE-2022-25373
Zoho ManageEngine SupportCenter Plus before 11020 allows Stored XSS in the request history. Zoho ManageEngine SupportCenter Plus versiones anteriores a 11020, permite el almacenamiento de tipo XSS en el historial de peticiones • https://manageengine.com https://pitstop.manageengine.com/portal/en/community/topic/manageengine-supportcenter-plus-version-11-0-build-11020-released https://raxis.com/blog/cve-2022-25373 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 97%CPEs: 72EXPL: 3CVE-2021-44077 – Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44077
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11306, ServiceDesk Plus MSP versiones anteriores a 10530, y SupportCenter Plus versiones anteriores a 11014, son vulnerables a una ejecución de código remota no autenticada. Esto está relacionado con las URLs /RestAPI en un servlet, y con ImportTechnicians en la configuración de Struts Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution • https://github.com/horizon3ai/CVE-2021-44077 https://github.com/pizza-power/Golang-CVE-2021-44077-POC http://packetstormsecurity.com/files/165400/ManageEngine-ServiceDesk-Plus-Remote-Code-Execution.html https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-authentication-bypass-vulnerability-in-servicedesk-plus-versions-11138-and-above https://pitstop.manageengine.com/portal/en/community/topic/security-advisory-for-cve-2021-44077-unauthenticated-rce-vulnerability-in-servicedesk-plus-msp-versions-10527-till-10529& • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-16965 – ManageEngine SupportCenter Plus 8.1.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2018-16965
In Zoho ManageEngine SupportCenter Plus before 8.1 Build 8109, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. En Zoho ManageEngine SupportCenter Plus en versiones anteriores a la 8.1 Build 8109, hay una inyección HTML y Cross-Site Scripting (XSS) persistente mediante el parámetro contractName en /ServiceContractDef.do. ManageEngine SupportCenter Plus version 8.1.0 suffers from cross site scripting and html injection vulnerabilities. • http://packetstormsecurity.com/files/149438/ManageEngine-SupportCenter-Plus-8.1.0-Cross-Site-Scripting.html https://pitstop.manageengine.com/portal/community/topic/supportcenter-plus-version-8-1-build-8109-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 3CVE-2015-5149 – ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-5149
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp. Vulnerabilidad de salto de directorio en Zoho ManageEngine SupportCenter Plus 7.90 permite a usuarios remotos autenticados escribir en ficheros arbitrarios a través de un .. (punto punto) en el parámetro component en el componente Request en workorder/Attachment.jsp. • https://www.exploit-db.com/exploits/37322 http://packetstormsecurity.com/files/132376/ManageEngine-SupportCenter-Plus-7.90-XSS-Traversal-Password-Disclosure.html http://www.securityfocus.com/bid/75512 http://www.vulnerability-lab.com/get_content.php?id=1501 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •