CVE-2019-8395 — Path Traversal in Manageengine Servicedesk Plus

CWE-22 — Path Traversal CWE-706 — Use of Incorrectly-Resolved Name or Reference3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

12.2%

top 6.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Servicedesk Plus

Timeline

PublishedFeb 17

Latest updateMay 13

Description

An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_servicedesk_plus< 10.0

🔴Vulnerability Details

GHSA

GHSA-xfcc-h2cc-43qv: An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10↗2022-05-13

▶

CVEList

CVE-2019-8395: An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10↗2019-02-17

▶