CVE-2019-10008
published 2019-04-24CVE-2019-10008: Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an…
PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.73%
97.1th percentile
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | servicedesk_plus | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- ·The exploit targets the /mc (mobile console) sub-application specifically; installations that have the mobile console disabled or firewalled may not be exploitable via this path. ↗
- ·The vulnerability was fixed in version 10017; detections should be scoped to ManageEngine ServiceDesk Plus versions prior to 10017. ↗
- ·The exploit requires at least one valid low-privilege (e.g. guest) account credential to initiate the session; environments without a guest account or with guest login disabled reduce the attack surface. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ManageEngine ServiceDesk Plus 9.3 - User Enumeration
exploitdb·2019-04-08·CVSS 8.8
CVE-2019-10273 [HIGH] ManageEngine ServiceDesk Plus 9.3 - User Enumeration
ManageEngine ServiceDesk Plus 9.3 - User Enumeration
---
# Exploit Title: ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
# Date: 2019-03-29
# Exploit Author: Operat0r
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/service-desk/download.html
# Version: 9.3
# Tested on: Ubuntu Linux
# CVE : CVE-2019-10273
ManageEngine ServiceDesk Plus - 9.3 User enumeration vulnerability
Overview:
CVE-2019-10273 is a information leakage vulnerability within the ManageEngine ServiceDesk Plus 9.3 software, this vulnerability allows for the enumeration of active users that are registered on the ServiceDesk 9.3 hosted software.
Due to a flaw within the way the authentication is handled, an attacked is able to login and verify any
Exploit-DB
Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation
exploitdb·2019-04-05·CVSS 8.8
CVE-2019-10008 [HIGH] Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation
Manage Engine ServiceDesk Plus 10.0 - Privilege Escalation
---
#!/usr/bin/python
# Exploit Title: Manage Engine ServiceDesk Plus Version <10.0 Privilege Escalation
# Date: 30-03-2019
# Exploit Author: Ata Hakçıl, Melih Kaan Yıldız
# Vendor: ManageEngine
# Vendor Homepage: www.manageengine.com
# Product: Service Desk Plus
# Version: 10.0
# Tested On: Kali Linux
# CVE: CVE-2019-10008
# Platform: JSP
# Timeline
# 22 march 2019: Discovery
# 24 march 2019: CVE id reserved for CVE-2019-10008
# 26 march 2019: First contact with vendor
# 5 april 2019: First publication
# 10 april 2019: Vendor confirmation
# 11 april 2019: Vendor released a fix (version 10017)
# Reference link: https://www.manageengine.com/products/service-desk/readme.html
import os
import re
# How to use: Change the host
No writeups or analysis indexed.
2019-04-24
Published