CVE-2024-50053

< 14.9

Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910

6.3MEDIUM

CVE-2024-41150

<= 14.7

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus M

6.3MEDIUM

CVE-2024-38869

<= 14.7

Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.T

8.3HIGH

CVE-2024-27314

<= 14.6

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720

2.4LOW

CVE-2023-6105

< 14.3

An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed.

5.5MEDIUM

CVE-2023-35785

< 14.2

Zoho ManageEngine Active Directory 360 versions 4315 and below, ADAudit Plus 7202 and below, ADManager Plus 7200 and below, Asset

8.1HIGH

CVE-2023-34197

< 14.2

Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP before 14300, and SupportCenter Plus before 14300 have a pri

5.4MEDIUM

CVE-2023-29443

< 14.1

Zoho ManageEngine ServiceDesk Plus before 14105, ServiceDesk Plus MSP before 14200, SupportCenter Plus before 14200, and AssetExpl

4.9MEDIUM

CVE-2023-26601

< 14.1

Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Cent

7.5HIGH

CVE-2023-26600

< 14.1

ManageEngine ServiceDesk Plus through 14104, ServiceDesk Plus MSP through 14000, Support Center Plus through 14000, and Asset Expl

6.5MEDIUM

CVE-2023-23078

all versions

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the comment field when changing the credenti

6.1MEDIUM

CVE-2023-23077

all versions

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status c

6.1MEDIUM

CVE-2023-23074

all versions

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via embedding videos in the language component.

6.1MEDIUM

CVE-2023-23073

all versions

Cross site scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component.

6.1MEDIUM

CVE-2022-47966

< 14.0

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of

9.8CRITICAL

CVE-2022-40772

< 14.0

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to a validation bypass that allows users to access sens

6.5MEDIUM

CVE-2022-40771

< 14.0

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to an XML External Entity attack that leads to Informat

4.9MEDIUM

CVE-2022-40770

< 13.0

Zoho ManageEngine ServiceDesk Plus versions 13010 and prior are vulnerable to authenticated command injection. This can be exploit

7.2HIGH

CVE-2022-35403

< 13.0

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affect

7.5HIGH

CVE-2022-25245

<= 12.0

Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name.

5.3MEDIUM

CVE-2021-46065

all versions

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows

4.8MEDIUM

CVE-2021-44526

all versions

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

9.8CRITICAL

CVE-2021-44077

< 11.1

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulner

9.8CRITICAL

CVE-2021-37415

all versions

Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without aut

9.8CRITICAL

CVE-2021-31160

all versions

Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.

7.5HIGH

CVE-2021-20081

< 11.2

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker

7.2HIGH

CVE-2021-20080

all versions

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before versi

6.1MEDIUM

CVE-2020-35682

< 11.1

Zoho ManageEngine ServiceDesk Plus before 11134 allows an Authentication Bypass (only during SAML login).

8.8HIGH

CVE-2020-14048

all versions

Zoho ManageEngine ServiceDesk Plus before 11.1 build 11115 allows remote unauthenticated attackers to change the installation stat

7.5HIGH

CVE-2020-13154

all versions

Zoho ManageEngine Service Plus before 11.1 build 11112 allows low-privilege authenticated users to discover the File Protection pa

6.5MEDIUM

CVE-2019-15083

all versions

Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation loca

6.1MEDIUM

CVE-2020-6843

<= 11.0

Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.

4.8MEDIUM

CVE-2019-15045

>= 10 and < 10509

AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is in

5.3MEDIUM

CVE-2019-15046

>= 10 and < 10509

Zoho ManageEngine ServiceDesk Plus 10 before 10509 allows unauthenticated sensitive information leakage during Fail Over Service (

7.5HIGH

CVE-2019-12540

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field.

6.1MEDIUM

CVE-2019-12539

all versions

An issue was discovered in the Purchase component of Zoho ManageEngine ServiceDesk Plus. There is XSS via the SearchN.do search fi

6.1MEDIUM

CVE-2019-12133

all versions

Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\Manag

7.8HIGH

CVE-2019-12543

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parame

6.1MEDIUM

CVE-2019-12542

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

6.1MEDIUM

CVE-2019-12541

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

6.1MEDIUM

CVE-2019-12538

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

6.1MEDIUM

CVE-2019-12252

<= 10.5

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appendi

6.5MEDIUM

CVE-2019-12189

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

6.1MEDIUM

CVE-2019-10273

all versions

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users t

4.3MEDIUM

CVE-2017-9376

< 9.3

ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfi

6.5MEDIUM

CVE-2017-9362

< 9.3

ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API.

8.8HIGH

CVE-2019-8395

< 10.0

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 1000

9.8CRITICAL

CVE-2019-8394

< 10.0.0

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page

6.5MEDIUM

CVE-2018-7248

all versions

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain us

5.3MEDIUM

CVE-2018-5799

< 9403

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/

6.1MEDIUM

CVE-2014-5302

all versions

Directory traversal vulnerability in ServiceDesk Plus and Plus MSP v5 through v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter

8.8HIGH

CVE-2014-5301

all versions

Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT

8.8HIGH

CVE-2015-1480

<= 9.0

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket inform

CVE-2012-2585

all versions

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrar

CVE-2011-1510

<= 8.0

Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus (SDP) before 8012 allows remote att

CVE-2011-1509

<= 8012

The encryptPassword function in Login.js in ManageEngine ServiceDesk Plus (SDP) 8012 and earlier uses a Caesar cipher for encrypti

CVE-2011-2757

<= 8.0.0.12

Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attacker

CVE-2011-2756

all versions

FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attac

CVE-2011-2755

all versions

Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attacke

CVE-2008-1299

all versions

Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows

6.1MEDIUM