CVE-2021-20081

CWE-20 โ€” Improper Input Validation4 documents4 sources
Severity
7.2HIGH
EPSS
62.6%
top 1.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zohocorp Manageengine Servicedesk Plus
Timeline
PublishedJun 10
Latest updateDec 9

Description

Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrary commands with SYSTEM privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

โ–ถCVEListV5manageengine_servicedesk_plusBefore 11205

๐Ÿ”ดVulnerability Details

2
GHSA
GHSA-p7qv-g8g6-53r3: Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrarโ†—2022-05-24
โ–ถ
CVEList
CVE-2021-20081: Incomplete List of Disallowed Inputs in ManageEngine ServiceDesk Plus before version 11205 allows a remote, authenticated attacker to execute arbitrarโ†—2021-06-10
โ–ถ

๐Ÿ”Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Custom Schedules Arbitrary Command Execution (CVE-2021-20081)โ†—2025-12-09
โ–ถ
CVE-2021-20081 (HIGH CVSS 7.2) | Incomplete List of Disallowed Input | cvebase.io