CVSS: 5.3EPSS: 16%CPEs: 112EXPL: 4CVE-2021-31159 – Zoho ManageEngine ServiceDesk Plus MSP 9.4 - User Enumeration
https://notcve.org/view.php?id=CVE-2021-31159
16 Jun 2021 — Zoho ManageEngine ServiceDesk Plus MSP before 10519 is vulnerable to a User Enumeration bug due to improper error-message generation in the Forgot Password functionality, aka SDPMSP-15732. Zoho ManageEngine ServiceDesk Plus MSP versiones anteriores a 10519 es vulnerable a un bug de Enumeración de Usuarios debido a la generación inapropiada de mensajes de error en la funcionalidad Forgot Password, también se conoce como SDPMSP-15732 Zoho ManageEngine ServiceDesk Plus version 9.4 suffers from a user enumerati... • https://packetstorm.news/files/id/163192 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.0EPSS: 64%CPEs: 7EXPL: 1CVE-2021-20081
https://notcve.org/view.php?id=CVE-2021-20081
10 Jun 2021 — Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges. La lista incompleta de entradas no permitidas en ManageEngine ServiceDesk Plus versiones anteriores a 11205 permite a un atacante remoto y autenticado ejecutar comandos arbitrarios con privilegios SYSTEM • https://www.tenable.com/security/research/tra-2021-22 •
CVSS: 6.1EPSS: 35%CPEs: 276EXPL: 1CVE-2021-20080
https://notcve.org/view.php?id=CVE-2021-20080
09 Apr 2021 — Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. Un saneamiento de salida insuficiente en ManageEngine ServiceDesk Plus versiones anteriores a 11200 y ManageEngine AssetExplorer versiones anteriores a 6800, permite a un atacante remoto no autenticado conducir ataques de tipo cross-sit... • https://www.tenable.com/security/research/tra-2021-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 35EXPL: 1CVE-2020-35682
https://notcve.org/view.php?id=CVE-2020-35682
13 Mar 2021 — Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11134, permite una omisión de autenticación (solo durante el inicio de sesión SAML) • https://github.com/its-arun/CVE-2020-35682 • CWE-863: Incorrect Authorization •
CVSS: 7.5EPSS: 30%CPEs: 269EXPL: 0CVE-2020-14048
https://notcve.org/view.php?id=CVE-2020-14048
12 Jun 2020 — Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11.1, build 11115, permite a atacantes remotos no autenticados cambiar el estado de instalación de los agentes desplegados • https://gitlab.com/eLeN3Re/CVE-2020-14048 • CWE-306: Missing Authentication for Critical Function •
CVSS: 6.5EPSS: 0%CPEs: 13EXPL: 1CVE-2020-13154
https://notcve.org/view.php?id=CVE-2020-13154
18 May 2020 — Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection password via a getFileProtectionSettings call to AjaxServlet. Zoho ManageEngine Service Plus versiones anteriores a 11.1 build 11112, permite a usuarios autenticados con pocos privilegios detectar la contraseña de File Protection mediante una llamada de getFileProtectionSettings a AjaxServlet. • https://gitlab.com/eLeN3Re/CVE-2020-13154 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 1%CPEs: 23EXPL: 2CVE-2019-15083 – ManageEngine Service Desk 10.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15083
14 May 2020 — Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server >
CVSS: 4.8EPSS: 4%CPEs: 1EXPL: 5CVE-2020-6843 – ZOHO ManageEngine ServiceDeskPlus 11.0 Build 11007 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-6843
22 Jan 2020 — Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 permite un ataque de cross-site scripting (XSS). Este problema se solucionó en la versión 11.0 Build 11010, SD-83959. ZOHO ManageEngine ServiceDeskPlus versions 11.0 Build 11007 and below suffer from a cross site scripting vulnerability. • https://packetstorm.news/files/id/156050 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 2%CPEs: 1EXPL: 3CVE-2019-15045 – Zoho Corporation ManageEngine ServiceDesk Plus Information Disclosure
https://notcve.org/view.php?id=CVE-2019-15045
21 Aug 2019 — AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality ** EN DISPUTA ** AjaxDomainServlet en Zoho ManageEngine ServiceDesk Plus versión 10 permite la enumeración de usuarios. NOTA: la posición del proveedor es que esta es la funcionalidad prevista. Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability. • https://packetstorm.news/files/id/154183 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 2%CPEs: 1EXPL: 4CVE-2019-15046 – Zoho Corporation ManageEngine ServiceDesk Plus Information Disclosure
https://notcve.org/view.php?id=CVE-2019-15046
14 Aug 2019 — Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (FOS) replication, aka SD-79989. Zoho ManageEngine ServiceDesk Plus 10 anteriores a la versión 10509, permite el filtrado de información confidencial no autenticada durante la replicación de Fail Over Service (FOS), también se conoce como SD-79989. Zoho Corporation ManageEngine ServiceDesk Plus 10 versions prior to 10509 suffer from an information leakage vulnerability. • https://packetstorm.news/files/id/154183 • CWE-287: Improper Authentication •