Vulnerabilities > Zohocorp > Manageengine Servicedesk Plus > 9.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-05-21 | CVE-2019-12252 | Authorization Bypass Through User-Controlled Key vulnerability in Zohocorp Manageengine Servicedesk Plus In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring. | 6.5 |
| 2019-03-25 | CVE-2017-9376 | Improper Input Validation vulnerability in Zohocorp Manageengine Servicedesk Plus ManageEngine ServiceDesk Plus before 9314 contains a local file inclusion vulnerability in the defModule parameter in DefaultConfigDef.do and AssetDefaultConfigDef.do. | 6.5 |
| 2019-03-25 | CVE-2017-9362 | XXE vulnerability in Zohocorp Manageengine Servicedesk Plus ManageEngine ServiceDesk Plus before 9312 contains an XML injection at add Configuration items CMDB API. | 8.8 |
| 2019-02-17 | CVE-2019-8395 | Use of Incorrectly-Resolved Name or Reference vulnerability in Zohocorp Manageengine Servicedesk Plus An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request. | 9.8 |
| 2019-02-17 | CVE-2019-8394 | Unrestricted Upload of File with Dangerous Type vulnerability in Zohocorp Manageengine Servicedesk Plus Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization. | 6.5 |
| 2018-03-30 | CVE-2018-5799 | Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus In Zoho ManageEngine ServiceDesk Plus before 9403, an XSS issue allows an attacker to run arbitrary JavaScript via a /api/request/?OPERATION_NAME= URI, aka SD-69139. | 6.1 |