The vulnerability of the software for the Zoho ManageEngine ServiceDesk Plus IT support service lies in the lack of restrictions on file uploads, allowing attackers to upload any files they desire.

🗓️ 15 May 2020 00:00:00Reported by FSTEC of Russia — Information Security Threat DatabaseType

bdu_fstec

bdu_fstec🔗 bdu.fstec.ru👁 1 Views

Zoho ManageEngine ServiceDesk Plus has unrestricted file uploads via the login page.

Reporter	Title	Published	Views	Family All 19
0day.today	Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload Vulnerability	18 Feb 201900:00	–	zdt
ATTACKERKB	CVE-2019-8394	17 Feb 201900:00	–	attackerkb
Circl	CVE-2019-8394	29 May 201815:50	–	circl
CISA KEV Catalog	Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability	3 Nov 202100:00	–	cisa_kev
CNVD	ZOHO ManageEngine ServiceDesk Plus Arbitrary File Upload Vulnerability	18 Feb 201900:00	–	cnvd
Check Point Advisories	Zoho ManageEngine SDP Arbitrary File Upload (CVE-2019-8394)	10 Dec 202000:00	–	checkpoint_advisories
CVE	CVE-2019-8394	17 Feb 201904:00	–	cve
Cvelist	CVE-2019-8394	17 Feb 201904:00	–	cvelist
Exploit DB	Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File Upload	18 Feb 201900:00	–	exploitdb
exploitpack	Zoho ManageEngine ServiceDesk Plus (SDP) 10.0 build 10012 - Arbitrary File Upload	18 Feb 201900:00	–	exploitpack

Source	Link
xakep	www.xakep.ru/2020/04/24/web-shells/
nvd	www.nvd.nist.gov/vuln/detail/CVE-2019-8394
exploit-db	www.exploit-db.com/exploits/46413
cisa	www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv
web	www.web.nvd.nist.gov/view/vuln/detail

24 Sep 2024 00:00Current

6.8Medium risk

Vulners AI Score6.8

CVSS 36.5

CVSS 26.8

EPSS0.87518

unrestricted file uploads attackers upload files login page service desk plus zoho manageengine