CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 1CVE-2019-12539
https://notcve.org/view.php?id=CVE-2019-12539
11 Jul 2019 — An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search field, a different vulnerability than CVE-2019-12189. Se detectó un problema en el componente Purchase de ManageEngine ServiceDesk Plus de Zoho. Se presenta un problema de tipo XSS por medio del campo de búsqueda SearchN.do, una vulnerabilidad diferente a CVE-2019-12189. • https://github.com/tarantula-team/Multiple-Cross-Site-Scripting-vulnerabilities-in-Zoho-ManageEngine • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 5%CPEs: 1EXPL: 1CVE-2019-12540
https://notcve.org/view.php?id=CVE-2019-12540
11 Jul 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field. Se detectó un problema en ManageEngine ServiceDesk Plus versión 10.5 de Zoho. Se presenta un problema de tipo XSS por medio del campo de búsqueda WorkOrder.do. • https://github.com/tarantula-team/Multiple-Cross-Site-Scripting-vulnerabilities-in-Zoho-ManageEngine • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 18EXPL: 0CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
18 Jun 2019 — Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus ... • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2019-12538 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SiteLookup.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12538
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del campo de búsqueda SiteLookup.do. • https://www.exploit-db.com/exploits/46963 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2019-12541 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SolutionSearch.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12541
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro SolutionSearch.do searchText. • https://www.exploit-db.com/exploits/46964 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2019-12542 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'SearchN.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12542
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro UserConfigID de SearchN.do. • https://www.exploit-db.com/exploits/46965 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 2%CPEs: 1EXPL: 2CVE-2019-12543 – Zoho ManageEngine ServiceDesk Plus 9.3 - 'PurchaseRequest.do' Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12543
05 Jun 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter. Se descubrió un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Hay XSS a través del parámetro PurchaseRequest.do serviceRequestId. • https://www.exploit-db.com/exploits/46966 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 7%CPEs: 1EXPL: 4CVE-2019-12189 – Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2019-12189
21 May 2019 — An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. Fue descubierto un problema en Zoho ManageEngine ServiceDesk Plus 9.3. Existe un XSS a través del campo de búsqueda SearchN.do. Zoho ManageEngine ServiceDesk Plus version 9.3 suffers from a cross site scripting vulnerability. • https://packetstorm.news/files/id/153028 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 8%CPEs: 1EXPL: 2CVE-2019-12252 – Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions
https://notcve.org/view.php?id=CVE-2019-12252
21 May 2019 — In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. En Zoho ManageEngine ServiceDesk Plus hasta la versión 10.5, los usuarios con menos privilegios (guest) pueden ver una publicación arbitraria agregando su número al SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. Zoho ManageEngine ServiceDesk Plus... • https://packetstorm.news/files/id/153029 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 10%CPEs: 1EXPL: 4CVE-2019-10273 – ManageEngine ServiceDesk Plus 9.3 - User Enumeration
https://notcve.org/view.php?id=CVE-2019-10273
04 Apr 2019 — Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account. Una vulnerabilidad de fuga de información en la página de inicio de sesión /mc en el software ManageEngine ServiceDesk Plus 9.3 permite a los usuarios autenticados enumerar los usuarios activos. Debido a un error en la manera en la que ... • https://packetstorm.news/files/id/152439 • CWE-287: Improper Authentication •