CVE-2021-20080
https://notcve.org/view.php?id=CVE-2021-20080
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file. Un saneamiento de salida insuficiente en ManageEngine ServiceDesk Plus versiones anteriores a 11200 y ManageEngine AssetExplorer versiones anteriores a 6800, permite a un atacante remoto no autenticado conducir ataques de tipo cross-site scripting (XSS) persistente al cargar un archivo de activos XML diseñado • https://www.tenable.com/security/research/tra-2021-11 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-35682
https://notcve.org/view.php?id=CVE-2020-35682
Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login). Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11134, permite una omisión de autenticación (solo durante el inicio de sesión SAML) • https://github.com/its-arun/CVE-2020-35682 https://www.manageengine.com/products/service-desk/on-premises/readme.html#11134 • CWE-863: Incorrect Authorization •
CVE-2020-14048
https://notcve.org/view.php?id=CVE-2020-14048
Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation status of deployed agents. Zoho ManageEngine ServiceDesk Plus versiones anteriores a 11.1, build 11115, permite a atacantes remotos no autenticados cambiar el estado de instalación de los agentes desplegados • https://gitlab.com/eLeN3Re/CVE-2020-14048 https://www.manageengine.com/products/service-desk/on-premises/readme.html • CWE-306: Missing Authentication for Critical Function •
CVE-2019-15083 – ManageEngine Service Desk 10.0 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-15083
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page. • https://www.exploit-db.com/exploits/48473 http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross-Site-Scripting.html https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2020-6843 – ZOHO ManageEngine ServiceDeskPlus 11.0 Build 11007 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2020-6843
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959. Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 permite un ataque de cross-site scripting (XSS). Este problema se solucionó en la versión 11.0 Build 11010, SD-83959. ZOHO ManageEngine ServiceDeskPlus versions 11.0 Build 11007 and below suffer from a cross site scripting vulnerability. • http://packetstormsecurity.com/files/156050/ZOHO-ManageEngine-ServiceDeskPlus-11.0-Build-11007-Cross-Site-Scripting.html http://seclists.org/fulldisclosure/2020/Jan/32 https://sec-consult.com/en/vulnerability-lab/advisories/index.html https://seclists.org/bugtraq/2020/Jan/34 https://www.manageengine.com/products/service-desk/readme.html#11010%20-%20SD-83959 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •