Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-10008

CWE-3844 documents4 sources
Severity
8.8HIGH
EPSS
9.1%
top 7.33%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Servicedesk Plus
Timeline
PublishedApr 24
Latest updateMay 24

Description

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-xpc7-m273-pggq: Zoho ManageEngine ServiceDesk 92022-05-24
CVEList
CVE-2019-10008: Zoho ManageEngine ServiceDesk 92019-04-24

💥Exploits & PoCs

1
Exploit-DB
Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation2019-04-05
CVE-2019-10008 (HIGH CVSS 8.8) | Zoho ManageEngine ServiceDesk 9.3 a | cvebase.io