⚠ Actively exploited
Added to CISA KEV on 2021-11-03. Federal agencies required to patch by 2022-05-03. Required action: Apply updates per vendor instructions..

CVE-2019-8394Unrestricted File Upload in Manageengine Servicedesk Plus

CWE-434Unrestricted File Upload6 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
87.5%
top 0.54%
CISA KEV
KEV
Added 2021-11-03
Due 2022-05-03
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Zohocorp Manageengine Servicedesk Plus
Timeline
PublishedFeb 17
KEV addedNov 3
KEV dueMay 3
Latest updateMay 14
CISA Required Action: Apply updates per vendor instructions.

Description

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

3
GHSA
GHSA-grv7-685f-m26h: Zoho ManageEngine ServiceDesk Plus (SDP) before 102022-05-14
CVEList
CVE-2019-8394: Zoho ManageEngine ServiceDesk Plus (SDP) before 102019-02-17
VulnCheck
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability2019

💥Exploits & PoCs

1
Exploit-DB
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload2019-02-18

📋Vendor Advisories

1
CISA
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability2021-11-03
CVE-2019-8394 — Unrestricted File Upload | cvebase