Vulnerability Details CVE-2019-12252
In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail¬ifyTo=SOLFORWARD&id= substring.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.087
EPSS Ranking 92.0%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.0
References
- http://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html
- http://www.securityfocus.com/bid/108456
- https://github.com/tuyenhva/CVE-2019-12252
- https://www.manageengine.com/products/service-desk/readme.html
- http://packetstormsecurity.com/files/153029/Zoho-ManageEngine-ServiceDesk-Plus-Privilege-Escalation.html
- http://www.securityfocus.com/bid/108456
- https://github.com/tuyenhva/CVE-2019-12252
- https://www.manageengine.com/products/service-desk/readme.html
Products affected by CVE-2019-12252
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:-
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.5
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.1
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:8.2
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.0
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.1
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.2
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.3
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:9.4