Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions

• Exploit Database
• 30 阅读

• 作者： Vingroup
  日期： 2019-05-22
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46894/

• # Exploit Title: Zoho ManageEngine ServiceDesk Plus < 10.5 Incorrect Access Control
  # Date: 2019-05-21
  # Exploit Author: Enter of VinCSS (Vingroup)
  # Vendor Homepage: https://www.manageengine.com/products/service-desk
  # Version: Zoho ManageEngine ServiceDesk Plus < 10.5
  # CVE : CVE-2019-12252
  
  
  
  In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the 
  
  SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring