EUVD-2017-3128

Malware in sbrugna...

ManageEngine ServiceDesk Plus MSP < 10.6 Build 10611 / 13.0 Build 13004

The version of ManageEngine ServiceDesk Plus MSP installed on the remote host is prior to 10.6 Build 10611, 13.0 Build 13004. It is, therefore, affected by a vulnerability as referenced in the service-desk-mspcve-2023-22964 advisory. - Zoho ManageEngine ServiceDesk Plus MSP before 10611, and 13x...

ManageEngine ServiceDesk Plus MSP < 14.2 Build 14200 XXE

An XML external entity vulnerability exists in ManageEngine ServiceDesk Plus MSP prior to 14.2 Build 14200. A threat actor with the SDAdmin role can configure a malicious server to return a response with a malformed XML using the Reports integration API, causing an XML External Entity XXE attack...

ManageEngine ServiceDesk Plus < 14.0 Build 14104 Multiple Vulnerabilities

The version of ManageEngine ServiceDesk Plus running on the remote host is prior to 14.0 Build 14104. It is, therefore, affected by multiple vulnerabilities, including the following: - A Denial of Service vulnerability in image upload allows an attacker to exploit the way an API method allocates...

ManageEngine ServiceDesk Plus < 14.0 Build 14001 Multiple Vulnerabilities

The version of ManageEngine ServiceDesk Plus running on the remote host is prior to 14.0 Build 14001. It is, therefore, affected by multiple vulnerabilities, including the following: - An XML external entity XXE vulnerability due to a flaw in the Analytics Plus integration. Threat actors with adm...

ManageEngine ServiceDesk Plus MSP generateSQLReport Improper Input Validation Privilege Escalation Vulnerability

This vulnerability allows remote attackers to escalate privileges on affected installations of ManageEngine ServiceDesk Plus MSP. Authentication is required to exploit this vulnerability. The specific flaw exists within the generateSQLReport function. The issue results from the lack of proper...

ZOHO ManageEngine ServiceDesk Plus Information Disclosure Vulnerability (CNVD-2022-29863)

ZOHO ManageEngine ServiceDesk Plus SDP is a set of ITIL-based IT service management software from ZOHO, USA. The software integrates incident management, issue management, asset management IT project management, procurement and contract management, and other functional modules.ZOHO ManageEngine...

ManageEngine ServiceDesk Plus CVE-2021-44077

This module exploits CVE-2021-44077, an unauthenticated remote code execution vulnerability in ManageEngine ServiceDesk Plus, to upload an EXE msiexec.exe and execute it as the SYSTEM account. Note that build 11305 is vulnerable to the authentication bypass but not the file upload. The module wil...

Exploit for Missing Authentication for Critical Function in Zohocorp Manageengine_Servicedesk_Plus

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: Pr...

ManageEngine ServiceDesk Plus < 11.3 Build 11306 / ManageEngine ServiceDesk Plus MSP < 10.5 Build 10530 RCE

A remote code execution vulnerability exists in ManageEngine ServiceDesk Plus prior to 11.3 Build 11306 and ManageEngine ServiceDesk Plus MSP prior to 10.5 Build 10530 due to a flaw in the /RestAPI URLs in a servlet and ImportTechnicians in the Struts configuration. Note that Nessus has not teste...

ManageEngine ServiceDesk Plus < 11.2 Build 11205 RCE

A command injection vulnerability exists in ManageEngine ServiceDesk Plus 11.2 Build 11205 due to insufficient sanitisation of user supplied input. An authenticated, remote attacker can exploit this to execute arbitrary commands with SYSTEM privileges. Note that Nessus has not tested for this iss...

ZOHO ManageEngine ServiceDesk Plus Information Disclosure Vulnerability (CNVD-2019-32072)

ZOHO ManageEngine ServiceDesk Plus is a set of ITIL-based IT service management software ITSM from ZOHO. The software integrates incident management, problem management, asset management, IT project management, procurement and contract management and other functional modules. An information...

Information disclosure

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account...

ManageEngine ServiceDesk DownloadFileServlet Information Disclosure (CVE-2017-11511)

An information disclosure vulnerability exists within ManageEngine ServiceDesk for Microsoft Windows. The vulnerability is due to the way ServiceDesk handles download requests. A successful attack could lead to stolen system information...

Design/Logic Flaw

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files...

CVE-2017-11511

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files...

CVE-2017-11511

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the filepath parameter for the download-file URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files...

CVE-2017-11512

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files...

CVE-2017-11512

The ManageEngine ServiceDesk 9.3.9328 is vulnerable to arbitrary file downloads due to improper restrictions of the pathname used in the name parameter for the download-snapshot URL. An unauthenticated remote attacker can use this vulnerability to download arbitrary files. Recent assessments:...

ManageEngine ServiceDesk Plus User and Domain Enumeration

The installed version of ManageEngine ServiceDesk Plus running on the remote web server is affected by an information disclosure vulnerability due to a flaw in the /servlet/AJaxServlet script that is triggered when handling a request involving the 'checkUser' or 'searchLocalAuthDomain' actions. A...