CVE-2019-10008

moderate-risk

Published 2019-04-24

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

Do I need to act?

9.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

46659

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Servicedesk Plus

Affected Vendors

Zohocorp

References (4)

Exploit https://www.exploit-db.com/exploits/46659

Release Notes https://www.manageengine.com/products/service-desk/readme.html

Exploit https://www.exploit-db.com/exploits/46659

Release Notes https://www.manageengine.com/products/service-desk/readme.html

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 10/34 · Low

Exposure 5/34 · Minimal