This page lists publicly disclosed CVE vulnerabilities affecting manageengine servicedesk_plus (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2014-5302 | Directory traversal vulnerability in ServiceDesk Plus and Plus MSP v5 through v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4 allows remote authenticated users to execute arbitrary code. | [email protected] | 8.8 | 52.45% | 2017-08-28 | 2026-05-13 |
| CVE-2014-5301 | Directory traversal vulnerability in ServiceDesk Plus MSP v5 to v9.0 v9030; AssetExplorer v4 to v6.1; SupportCenter v5 to v7.9; IT360 v8 to v10.4. | [email protected] | 8.8 | 76.62% | 2017-08-28 | 2026-05-13 |
| CVE-2015-1480 | ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp. | [email protected] | 4.0 | 18.23% | 2015-02-04 | 2026-05-06 |
| CVE-2012-2585 | Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine ServiceDesk Plus 8.1 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, or (4) a crafted SRC attribute of an IFRAME element, or an e-mail message subject with (5) a SCRIPT element, (6) a CSS expression property in the STYLE a | [email protected] | 4.3 | 0.38% | 2012-08-12 | 2026-04-29 |
| CVE-2011-1510 | Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus (SDP) before 8012 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. | [email protected] | 4.3 | 0.33% | 2011-09-20 | 2026-04-29 |
| CVE-2011-1509 | The encryptPassword function in Login.js in ManageEngine ServiceDesk Plus (SDP) 8012 and earlier uses a Caesar cipher for encryption of passwords in cookies, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. | [email protected] | 5.0 | 0.19% | 2011-09-20 | 2026-04-29 |
| CVE-2011-2757 | Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0.0.12 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the FILENAME parameter. NOTE: this might overlap the US-CERT VU#543310 issue. | [email protected] | 5.0 | 66.48% | 2011-07-17 | 2026-04-29 |
| CVE-2011-2756 | FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 does not require authentication, which allows remote attackers to read files from a specific directory via unspecified vectors. | [email protected] | 5.0 | 0.32% | 2011-07-17 | 2026-04-29 |
| CVE-2011-2755 | Directory traversal vulnerability in FileDownload.jsp in ManageEngine ServiceDesk Plus 8.0 before Build 8012 allows remote attackers to read arbitrary files via unspecified vectors. | [email protected] | 5.0 | 2.85% | 2011-07-17 | 2026-04-29 |
| CVE-2008-1299 | Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | [email protected] | 6.1 | 0.43% | 2008-03-12 | 2026-04-23 |