U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Vulnerability Database

National Vulnerability Database

NVD

National Vulnerability Database
  1. VulnerabilitiesSearch And Statistics

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3:9322:*:*:*:*:*:*
  • CPE Name Search: true
There are 28 matching records.
Displaying matches 21 through 28.
Vuln ID Summary CVSS Severity
CVE-2019-12541

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

Published: June 05, 2019; 11:29:01 AM -0400 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-12538

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

Published: June 05, 2019; 11:29:01 AM -0400 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-12252

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

Published: May 21, 2019; 2:29:00 PM -0400 		V4.0:(not available)
 V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-12189

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

Published: May 21, 2019; 2:29:00 PM -0400 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2019-10273

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

Published: April 04, 2019; 12:29:02 PM -0400 		V4.0:(not available)
 V3.0: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2019-8395

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

Published: February 16, 2019; 11:29:00 PM -0500 		V4.0:(not available)
 V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2019-8394

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

Published: February 16, 2019; 11:29:00 PM -0500 		V4.0:(not available)
 V3.0: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2018-5799

In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139.

Published: March 30, 2018; 9:29:00 AM -0400 		V4.0:(not available)
 V3.0: 6.1 MEDIUM
V2.0: 4.3 MEDIUM