Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
1

CVE-2019-8394

Disclosure Date: February 17, 2019
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

There is a PoC available. This DOES require auth, at least a low-priv account. An example of exploitation can be found in this blog post. I was able to repro RCE using curl(1).

CVSS V3 Severity and Metrics
Base Score:
6.5 Medium
Impact Score:
3.6
Exploitability Score:
2.8
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
High
Availability (A):
None

General Information

Vendors

  • zohocorp

Products

  • manageengine servicedesk plus

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis