cbcvebase.
CVE-2019-10008
published 2019-04-24

CVE-2019-10008: Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an…

PriorityP269high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
19.73%
97.1th percentile
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpservicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

  • ·The exploit targets the /mc (mobile console) sub-application specifically; installations that have the mobile console disabled or firewalled may not be exploitable via this path.
  • ·The vulnerability was fixed in version 10017; detections should be scoped to ManageEngine ServiceDesk Plus versions prior to 10017.
  • ·The exploit requires at least one valid low-privilege (e.g. guest) account credential to initiate the session; environments without a guest account or with guest login disabled reduce the attack surface.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.