Zoho ManageEngine ServiceDesk Plus 10.5 Remote Code ExecutionVulnerability

Summary

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

Credit:

The information has been provided by VinCSS .
The original article can be found at: https://www.manageengine.com/products/service-desk/readme.html


Details

Zoho ManageEngine ServiceDesk Plus is prone to an access-bypass vulnerability. 
Attackers can exploit this issue to bypass security restrictions to perform unauthorized actions; this may aid in launching further attacks.
Zoho ManageEngine ServiceDesk Plus through 10.5 are vulnerable.

Vulnerable Systems:

  • Zohocorp Manageengine Servicedesk Plus 10.5

CVE Information:
CVE-2019-12252

Disclosure Timeline:
Publish Date:05/21/2019

Categories: News