Vulnerabilities > CVE-2019-12252 - Authorization Bypass Through User-Controlled Key vulnerability in Zohocorp Manageengine Servicedesk Plus

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

zohocorp

CWE-639

exploit available

NVD

Published: 2019-05-21

Updated: 2023-03-01

Summary

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

Vulnerable Configurations

Part	Description	Count
Application	Zohocorp Zohocorp Manageengine Servicedesk Plus - Zohocorp Manageengine Servicedesk Plus 8.1 Zohocorp Manageengine Servicedesk Plus 8.2 Zohocorp Manageengine Servicedesk Plus 9.0 Zohocorp Manageengine Servicedesk Plus 9.1 Zohocorp Manageengine Servicedesk Plus 9.2 Zohocorp Manageengine Servicedesk Plus 9.3 Zohocorp Manageengine Servicedesk Plus 9.4 Zohocorp Manageengine Servicedesk Plus 10.0 Zohocorp Manageengine Servicedesk Plus 10.0.0 Zohocorp Manageengine Servicedesk Plus 10.5	246

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

Exploit-Db

id	EDB-ID:46894
last seen	2019-05-22
modified	2019-05-22
published	2019-05-22
reporter	Exploit-DB
source	https://www.exploit-db.com/download/46894
title	Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions

Packetstorm

data source	https://packetstormsecurity.com/files/download/153029/zohomesdp-escalate.txt
id	PACKETSTORM:153029
last seen	2019-05-24
published	2019-05-22
reporter	Enter Of VinCSS
source	https://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html
title	Zoho ManageEngine ServiceDesk Plus Privilege Escalation

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References