CVSS: 8.8EPSS: 0%CPEs: 80EXPL: 0CVE-2023-26600 – ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-26600
06 Mar 2023 — ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Explorer through 6987 allow privilege escalation via query reports. This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper validation of user-suppl... • https://manageengine.com •
CVSS: 9.0EPSS: 2%CPEs: 2EXPL: 1CVE-2022-48362
https://notcve.org/view.php?id=CVE-2022-48362
25 Feb 2023 — Zoho ManageEngine Desktop Central and Desktop Central MSP before 10.1.2137.2 allow directory traversal via computerName to AgentLogUploadServlet. A remote, authenticated attacker could upload arbitrary code that would be executed when Desktop Central is restarted. (The attacker could authenticate by exploiting CVE-2021-44515.) • https://srcincite.io/blog/2022/01/20/zohowned-a-critical-authentication-bypass-on-zoho-manageengine-desktop-central.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23073
https://notcve.org/view.php?id=CVE-2023-23073
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459171?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 14EXPL: 0CVE-2023-23077
https://notcve.org/view.php?id=CVE-2023-23077
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment. • https://bugbounty.zohocorp.com/bb/#/bug/101000006387693?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 38EXPL: 0CVE-2023-23075
https://notcve.org/view.php?id=CVE-2023-23075
01 Feb 2023 — Cross Site Scripting (XSS) vulnerability in Zoho Asset Explorer 6.9 via the credential name when creating a new Assets Workstation. • https://bugbounty.zohocorp.com/bb/#/bug/101000006463045?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23074
https://notcve.org/view.php?id=CVE-2023-23074
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459195?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 27EXPL: 0CVE-2023-23076
https://notcve.org/view.php?id=CVE-2023-23076
01 Feb 2023 — OS Command injection vulnerability in Support Center Plus 11 via Executor in Action when creating new schedules. • https://bugbounty.zohocorp.com/bb/#/bug/101000006459751?tab=originator • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2023-23078
https://notcve.org/view.php?id=CVE-2023-23078
01 Feb 2023 — Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credentials in the Assets. • https://bugbounty.zohocorp.com/bb/#/bug/101000006458675?tab=originator • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-0169 – Zoho Forms < 3.0.1 - Contributor+ Stored XSS
https://notcve.org/view.php?id=CVE-2023-0169
23 Jan 2023 — The Zoho Forms WordPress plugin before 3.0.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. The Zoho Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping on user suppli... • https://wpscan.com/vulnerability/178d71f2-4666-4f7e-ada5-cb72a50fd663 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.4EPSS: 1%CPEs: 15EXPL: 0CVE-2023-22964
https://notcve.org/view.php?id=CVE-2023-22964
20 Jan 2023 — Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x before 13004, is vulnerable to authentication bypass when LDAP authentication is enabled. • https://manageengine.com • CWE-287: Improper Authentication •