Vulnerabilities > CVE-2019-12252 - Authorization Bypass Through User-Controlled Key vulnerability in Zohocorp Manageengine Servicedesk Plus
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| id | EDB-ID:46894 |
| last seen | 2019-05-22 |
| modified | 2019-05-22 |
| published | 2019-05-22 |
| reporter | Exploit-DB |
| source | https://www.exploit-db.com/download/46894 |
| title | Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/153029/zohomesdp-escalate.txt |
| id | PACKETSTORM:153029 |
| last seen | 2019-05-24 |
| published | 2019-05-22 |
| reporter | Enter Of VinCSS |
| source | https://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html |
| title | Zoho ManageEngine ServiceDesk Plus Privilege Escalation |
References
- http://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html
- http://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html
- http://www.securityfocus.com/bid/108456
- http://www.securityfocus.com/bid/108456
- https://github.com/tuyenhva/CVE-2019-12252
- https://github.com/tuyenhva/CVE-2019-12252
- https://www.manageengine.com/products/service-desk/readme.html
- https://www.manageengine.com/products/service-desk/readme.html