53 matches found
Zoho ManageEngine ServiceDesk Plus - Remote Code Execution
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. id: CVE-2021-44077 info: name: Zoho ManageEngine ServiceDesk Plus - Remote Code Execution author: Adam Crosser,gy741...
CVE-2019-12541
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter...
EUVD-2016-5866
Malware in sbrugna...
CVE-2015-1479
SQL injection vulnerability in reports/CreateReportTable.jsp in ZOHO ManageEngine ServiceDesk Plus SDP before 9.0 build 9031 allows remote authenticated users to execute arbitrary SQL commands via the site parameter...
CVE-2019-15045
AjaxDomainServlet in Zoho ManageEngine ServiceDesk Plus 10 allows User Enumeration. NOTE: the vendor's position is that this is intended functionality...
CVE-2019-12540
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 10.5. There is XSS via the WorkOrder.do search field...
CVE-2019-15083
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator...
ManageEngine ServiceDesk Plus < 14.1 Build 14103
The version of ManageEngine ServiceDesk Plus installed on the remote host is prior to 14.1 Build 14103. It is, therefore, affected by a vulnerability as referenced in the service-deskCVE-2023-23078 advisory. - Cross site scripting XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via the...
Zoho ManageEngine ServiceDesk Plus SAMLResponse command execution
Added: 02/17/2023 Background Zoho ManageEngine ServiceDesk Plus is IT helpdesk software. Problem A vulnerability in an outdated Apache Santuario library in ServiceDesk Plus allows a remote, unauthenticated attacker to execute arbitrary commands by sending a specially crafted SAMLResponse paramete...
CVE-2023-23077
Cross site scripting XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment...
Cross site scripting
Cross site scripting XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 14 via PO in the purchase component...
CVE-2023-23078
Summary: CVE-2023-23078 is a cross-site scripting (XSS) vulnerability reported in Zoho ManageEngine ServiceDesk Plus 14, exploitable via the comment field when changing credentials in the Assets. Connected sources (Red Hat, Nessus, CVE lists) corroborate an XSS issue affecting SDP/Asset-related c...
CVE-2023-23073
CVE-2023-23073 affects Zoho ManageEngine ServiceDesk Plus 14, with a cross-site scripting (XSS) vulnerability exposed via the purchase order (PO) in the purchase component. Connected documents confirm the issue in SDP 14 (and pre-14.1 MSP/SDP variants) and describe the root cause as an XSS flaw i...
CVE-2023-23077
CVE-2023-23077 affects Zoho ManageEngine ServiceDesk Plus version 13. It is a Cross-Site Scripting (XSS) vulnerability exploitable via the comment field when adding a new status comment. Root cause cited by PT Security: inadequate protection of the web page structure, allowing an XSS payload. The...
CVE-2023-23074
CVE-2023-23074 is a cross-site scripting (XSS) vulnerability affecting Zoho ManageEngine ServiceDesk Plus 14, caused by embedding videos in the language component. Public sources from Red Hat and Nessus identify affected versions as ServiceDesk Plus prior to 14.1 Build 14104. The CVSS v3.1 base s...
CVE-2023-23077
Cross site scripting XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 13 via the comment field when adding a new status comment...
PT-2023-1149 · Zoho · Zoho Manageengine Servicedesk Plus
Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ServiceDesk Plus MSP versions prior to 10611 Zoho ManageEngine ServiceDesk Plus versions 13.x prior to 13004 Description: The issue is related to the implementation of the authentication mechanism via the LDAP protocol in th...
CVE-2022-25245
Zoho ManageEngine ServiceDesk Plus before 13001 allows anyone to know the organisation's default currency name...
APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
Summary This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge ATT &CK® framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations. This joint advisory is the result of analytic efforts...
CVE-2021-44077
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration. Recent assessments:...