Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-9331 — Cross-Site Request Forgery in Manageengine Desktop Central

CWE-352 — Cross-Site Request Forgery4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

2.0%

top 16.12%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Desktop Central

Timeline

PublishedFeb 4

Latest updateMay 14

Description

Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via an addUser action to STATE_ID/1417736606982/roleMgmt.do.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_desktop_central9.0

Patches

Patch: www.manageengine.com ↗Patch: www.manageengine.com ↗

🔴Vulnerability Details

GHSA

GHSA-m2wv-xvc5-4rfq: Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authen↗2022-05-14

▶

CVEList

CVE-2014-9331: Cross-site request forgery (CSRF) vulnerability in ZOHO ManageEngine Desktop Central before 9 build 90130 allows remote attackers to hijack the authen↗2015-02-04

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine Desktop Central 9 Build 90087 - Cross-Site Request Forgery↗2015-02-03

▶