Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-10273 β€” Improper Authentication in Manageengine Servicedesk Plus

CWE-287 β€” Improper Authentication4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
13.7%
top 5.72%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Servicedesk Plus
Timeline
PublishedApr 4
Latest updateMay 13

Description

Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9.3 software allows authenticated users to enumerate active users. Due to a flaw within the way the authentication is handled, an attacker is able to login and verify any active account.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

πŸ”΄Vulnerability Details

2
GHSA
GHSA-cgp9-mfw2-2hh5: Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9β†—2022-05-13
β–Ά
CVEList
CVE-2019-10273: Information leakage vulnerability in the /mc login page in ManageEngine ServiceDesk Plus 9β†—2019-04-04
β–Ά

πŸ’₯Exploits & PoCs

1
Exploit-DB
ManageEngine ServiceDesk Plus 9.3 - User Enumeration↗2019-04-08
β–Ά
CVE-2019-10273 β€” Improper Authentication | cvebase