CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12541 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12541
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro SolutionSearch.do searchText. • https://www.exploit-db.com/exploits/46964 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12542 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12542
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro UserConfigID de SearchN.do. • https://www.exploit-db.com/exploits/46965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12543 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12543
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro PurchaseRequest.do serviceRequestId. • https://www.exploit-db.com/exploits/46966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 4CVE-2019-12189 – Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12189
21 May 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. Fue descubierto un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Existe un XSS a través del campo de búsqueda SearchN.do. Zoho ManageEngine ServiceDesk Plus version 9.3 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/153028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2019-12252 – Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions
https://notcve.org/view.php?id=CVE-2019-12252
21 May 2019 — In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. En Zoho ManageEngine ServiceDesk Plus hasta la versión 10.5, los usuarios con menos privilegios (guest) pueden ver una publicación arbitraria agregando su número al SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. Zoho ManageEngine ServiceDesk Plus... • https://packetstorm.news/files/id/153029 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4CVE-2019-10273 – ManageEngine ServiceDesk Plus 9.3 - User Enumeration
https://notcve.org/view.php?id=CVE-2019-10273
04 Apr 2019 — Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account. Una vulnerabilidad de fuga de información en la página de inicio de sesión /mc en el software ManageEngine ServiceDesk Plus 9.3 permite a los usuarios autenticados enumerar los usuarios activos. Debido a un error en la manera en la que ... • https://packetstorm.news/files/id/152439 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9362
https://notcve.org/view.php?id=CVE-2017-9362
25 Mar 2019 — ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. ManageEngine ServiceDesk Plus en sus versiones anteriores a la 9312 contiene una inyección XML en los ítems de adición de configuración de la API CMDB. • https://labs.integrity.pt/advisories/cve-2017-9362 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9376
https://notcve.org/view.php?id=CVE-2017-9376
25 Mar 2019 — ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. ManageEngine ServiceDesk Plus en sus versiones anteriores a la 9314 contiene una vulnerabilidad de inclusión de archivo local en el parámetro defModule en DefaultConfigDef.do y AssetDefaultConfigDef.do. • http://www.securityfocus.com/bid/107558 • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0CVE-2019-8395
https://notcve.org/view.php?id=CVE-2019-8395
17 Feb 2019 — An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. Existe una vulnerabilidad IDOR (Insecure Direct Object Reference) en Zoho ManageEngine ServiceDesk Plus (SDP) en versiones anteriores a la 10.0 build 10007 mediante un adjunto en una petición. • https://www.manageengine.com/products/service-desk/readme.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 7.5EPSS: 94%CPEs: 1EXPL: 2CVE-2019-8394 – Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2019-8394
17 Feb 2019 — Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. Zoho ManageEngine ServiceDesk Plus (SDP), en versiones anteriores a la 10.0 build 10012, permite que los atacantes remotos suban archivos arbitrarios mediante la personalización de la página de inicio. Zoho ManageEngine ServiceDesk Plus (SDP) versions prior to 10.0 build 10012 suffer from an arbitrary file upload vulnerability. Zoho ManageEngine ServiceDesk Plus (S... • https://packetstorm.news/files/id/151759 • CWE-434: Unrestricted Upload of File with Dangerous Type •