Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-12252Authorization Bypass Through User-Controlled Key in Manageengine Servicedesk Plus

CWE-639Authorization Bypass Through User-Controlled Key4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
7.0%
top 8.48%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Servicedesk Plus
Timeline
PublishedMay 21
Latest updateMay 24

Description

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-gp2f-p94x-gqv7: In Zoho ManageEngine ServiceDesk Plus through 102022-05-24
CVEList
CVE-2019-12252: In Zoho ManageEngine ServiceDesk Plus through 102019-05-21

💥Exploits & PoCs

1
Exploit-DB
Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions2019-05-22
CVE-2019-12252 — MEDIUM severity | cvebase