ManageEngine ServiceDesk Plus 9.0 Privilege Escalation

Type packetstorm
Reporter Muhammed Ahmed Siddiqui
Modified 2015-01-23T00:00:00


[REWTERZ-20140103] - Rewterz - Security Advisory  
Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability  
Product: ServiceDesk Plus (  
Affected Version: 9.0 (Other versions could also be affected)  
Fixed Version: 9.0 Build 9031  
Vulnerability Impact: Low  
Advisory ID: REWTERZ-20140103  
Published Date: 22-Jan-2015  
Researcher: Muhammad Ahmed Siddiqui  
Email: ahmed [at]  
Product Introduction  
ServiceDesk Plus is a help desk software with integrated asset and  
project management built on the ITIL framework. It is available in 29  
different languages and is used by more than 85,000 companies, across  
186 countries, to manage their IT help desk and assets.  
Vulnerability Information  
Class: Improper Privilege Management  
Impact: Low privileged user can access application data  
Remotely Exploitable: Yes  
Authentication Required: Yes  
User interaction required: Yes  
CVE Name: N/A  
Vulnerability Description  
A user with limited privileges could gain access to certain  
functionality that is available only to administrative users. For  
example, users with Guest privileges can see the subjects of the  
tickets, stats and other information related to tickets.  
23-Dec-2014 – Notification to Vendor  
24-Dec-2014 – Response from Vendor  
30-Dec-2014 – Vulnerability fixed by Vendor  
About Rewterz  
Rewterz is a boutique Information Security company, committed to  
consistently providing world class professional security services. Our  
strategy revolves around the need to provide round-the-clock quality  
information security services and solutions to our customers. We  
maintain this standard through our highly skilled and professional  
team, and custom-designed, customer-centric services and products.  
Complete list of vulnerability advisories published by Rewterz: