Vulnerabilites related to ManageEngine - ServiceDesk Plus
CVE-2024-41150 (GCVE-0-2024-41150)
Vulnerability from cvelistv5
Published
2024-08-23 14:08
Modified
2024-08-23 14:38
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | ManageEngine | ServiceDesk Plus |
Version: 0 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41150",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-23T14:38:04.957325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:38:15.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/service-desk/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14810",
"status": "affected",
"version": "0",
"versionType": "14810"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/service-desk/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14800",
"status": "affected",
"version": "0",
"versionType": "14810"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/service-desk/",
"defaultStatus": "unaffected",
"product": "SupportCenter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14800",
"status": "affected",
"version": "0",
"versionType": "14810"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An Stored Cross-site Scripting vulnerability in request module affects Zohocorp\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.\u003c/span\u003e\u003cp\u003eThis issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.\u003c/p\u003e"
}
],
"value": "An Stored Cross-site Scripting vulnerability in request module affects Zohocorp\u00a0ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-23T14:15:04.852Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "ManageEngine"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk/CVE-2024-41150.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "ManageEngine",
"cveId": "CVE-2024-41150",
"datePublished": "2024-08-23T14:08:17.169Z",
"dateReserved": "2024-07-16T07:03:21.737Z",
"dateUpdated": "2024-08-23T14:38:15.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-8309 (GCVE-0-2025-8309)
Vulnerability from cvelistv5
Published
2025-08-20 16:53
Modified
2025-08-21 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp.
This vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | ManageEngine | Asset Explorer |
Version: 0 |
||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8309",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-21T03:55:16.201Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Asset Explorer",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "7710",
"status": "affected",
"version": "0",
"versionType": "7710"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "15110",
"status": "affected",
"version": "0",
"versionType": "15110"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14940",
"status": "affected",
"version": "0",
"versionType": "14940"
}
]
},
{
"defaultStatus": "unaffected",
"product": "SupportCenter Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThan": "14940",
"status": "affected",
"version": "0",
"versionType": "14940"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "There is an improper privilege management vulnerability identified in ManageEngine\u0027s Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. \u003cbr\u003e\u003cbr\u003eThis vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940."
}
],
"value": "There is an improper privilege management vulnerability identified in ManageEngine\u0027s Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. \n\nThis vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T16:53:29.010Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk/cve-2025-8309.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "User privilege escalation vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2025-8309",
"datePublished": "2025-08-20T16:53:29.010Z",
"dateReserved": "2025-07-29T14:32:17.844Z",
"dateUpdated": "2025-08-21T03:55:16.201Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-50053 (GCVE-0-2024-50053)
Vulnerability from cvelistv5
Published
2025-03-21 06:01
Modified
2025-05-05 13:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Zohocorp ManageEngine ServiceDesk Plus versions below 14920 , ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 are vulnerable to Stored XSS in the task feature.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | ManageEngine | ServiceDesk Plus |
Version: 0 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-50053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-21T13:58:06.843899Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-03T13:04:53.410Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://www.manageengine.com/products/service-desk/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14910",
"status": "affected",
"version": "0",
"versionType": "14910"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/service-desk-msp/",
"defaultStatus": "unaffected",
"product": "ServiceDesk Plus MSP",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14900",
"status": "affected",
"version": "0",
"versionType": "14900"
}
]
},
{
"collectionURL": "https://www.manageengine.com/products/support-center/",
"defaultStatus": "unaffected",
"product": "SupportCentre Plus",
"vendor": "ManageEngine",
"versions": [
{
"lessThanOrEqual": "14900",
"status": "affected",
"version": "0",
"versionType": "14900"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "vuhd and brocked200 from Viettel Cyber Security"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Zohocorp ManageEngine ServiceDesk Plus versions\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebelow\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e14920\u003c/span\u003e\u003c/span\u003e\u0026nbsp;, ServiceDesk Plus MSP and SupportCentre Plus versions below\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e14910 are vulnerable to Stored XSS in the task feature.\u003c/span\u003e"
}
],
"value": "Zohocorp ManageEngine ServiceDesk Plus versions\u00a0below\u00a014920\u00a0, ServiceDesk Plus MSP and SupportCentre Plus versions below\u00a014910 are vulnerable to Stored XSS in the task feature."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-05T13:24:19.125Z",
"orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"shortName": "Zohocorp"
},
"references": [
{
"url": "https://www.manageengine.com/products/service-desk/CVE-2024-50053.html"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Stored XSS",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
"assignerShortName": "Zohocorp",
"cveId": "CVE-2024-50053",
"datePublished": "2025-03-21T06:01:39.945Z",
"dateReserved": "2024-11-07T11:25:31.918Z",
"dateUpdated": "2025-05-05T13:24:19.125Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}