Page 7 of 33 results (0.008 seconds)

CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 0

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. Existe una vulnerabilidad IDOR (Insecure Direct Object Reference) en Zoho ManageEngine ServiceDesk Plus (SDP) en versiones anteriores a la 10.0 build 10007 mediante un adjunto en una petición. • https://www.manageengine.com/products/service-desk/readme.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-706: Use of Incorrectly-Resolved Name or Reference •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not. Se ha descubierto un problema en Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Los usuarios no autenticados pueden validar cuentas de usuario de dominio mediante el envío de una petición que contiene el nombre de usuario de un endpoint de la API. • http://www.securityfocus.com/bid/104287 https://gitlab.com/e-sterling/cve-2018-7248 https://medium.com/%40esterling_/cve-2018-7248-enumerating-active-directory-users-via-unauthenticated-manageengine-servicedesk-a1eda2942eb0 •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. En Zoho ManageEngine ServiceDesk Plus en versiones anteriores a la 9403, un problema Cross-Site Scripting (XSS) permite que un atacante ejecute código JavaScript arbitrario mediante un URI /api/request/?OPERATION_NAME=, también conocido como SD-69139. ManageEngine Service Desk Plus versions prior to 9403 suffer from a cross site scripting vulnerability. • http://seclists.org/fulldisclosure/2018/Mar/58 https://www.manageengine.com/products/service-desk/readme.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •