RSS   Vulnerabilities for 'Manageengine servicedesk plus'   RSS

2019-06-18
 
CVE-2019-12133

CWE-275
 

 
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus.

 
2019-06-05
 
CVE-2019-12543

CWE-79
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

 
 
CVE-2019-12542

CWE-79
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

 
 
CVE-2019-12541

CWE-79
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

 
 
CVE-2019-12538

CWE-79
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do search field.

 
2019-05-21
 
CVE-2019-12252

CWE-264
 

 
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

 
 
CVE-2019-12189

CWE-79
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

 
2019-04-04
 
CVE-2019-10273

CWE-200
 

 
Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

 
2018-05-11
 
CVE-2018-7248

CWE-255
 

 
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3 Build 9317. Unauthenticated users are able to validate domain user accounts by sending a request containing the username to an API endpoint. The endpoint will return the user's logon domain if the accounts exists, or 'null' if it does not.

 

 >>> Vendor: Zohocorp 37 Products
Webnms
Manageengine adselfservice plus
Manageengine admanager plus
Manageengine assetexplorer
Manageengine opstor
Manageengine eventlog analyzer
Manageengine desktop central
Manageengine it360
Manageengine netflow analyzer
Manageengine it plus
Manageengine opmanager
Manageengine social it plus
Manageengine supportcenter plus
Servicedesk plus
Manageengine password manager pro
Webnms framework
Password manager pro
Manageengine firewall analyzer
Site24x7 mobile network poller
Manageengine applications manager
Manageengine recovery manager plus
Manageengine servicedesk plus
Firewall analyzer
Network configuration manager
Opmanager
Oputils
Manageengine analytics plus
Manageengine browser security plus
Manageengine firewall
Manageengine key manager plus
Manageengine mobile device manager plus
Manageengine network configuration manager
Manageengine o365 manager plus
Manageengine oputils
Manageengine patch connect plus
Manageengine patch manager plus
Manageengine vulnerability manager plus


Copyright 2019, cxsecurity.com

 

Back to Top