Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-10008


Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.


Published

2019-04-24T19:29:00.907

Last Modified

2024-11-21T04:18:12.293

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.0

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-384

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application zohocorp servicedesk_plus 9.3 Yes

References