← back
CVE-2019-8394

CVE-2019-8394

CVSS 7.5 HIGHEPSS 64.1%● KEVCWE-434
In short

Zoho ManageEngine ServiceDesk Plus before version 10.0 build 10012 allows attackers to upload any file they want through a login page customization feature. This can lead to running malicious code on the server.

Technical detail

CWE-434 unrestricted file upload vulnerability in the login page customization functionality allows unauthenticated remote attackers to upload arbitrary files without proper validation. Successful exploitation enables remote code execution with the privileges of the affected service.

Summary generated and translated by AI from the official description.
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected products
n/a · n/a
public PoCs found2
cve_referencewww.exploit-db.com/exploits/46413/unverifiedexploitdbwww.exploit-db.com/exploits/46413unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-8394https://www.exploit-db.com/exploits/46413/https://www.manageengine.com/products/service-desk/readme.htmlhttp://www.securityfocus.com/bid/107129