← back
CVE-2021-37415

CVE-2021-37415

CVSS 9.8 CRITICALEPSS 99.9%● KEVCWE-306
In short

Zoho ManageEngine ServiceDesk Plus versions before 11302 have a flaw that allows attackers to access certain REST API functions without logging in, potentially exposing sensitive data or enabling unauthorized actions.

Technical detail

CWE-306 (Missing Authentication Check) allows unauthenticated access to specific REST API endpoints in ServiceDesk Plus versions prior to 11302. An attacker can exploit this by directly calling affected API URLs without credentials, bypassing authentication controls and gaining unauthorized access to sensitive operations.

Summary generated and translated by AI from the official description.
Zoho ManageEngine ServiceDesk Plus before 11302 is vulnerable to authentication bypass that allows a few REST-API URLs without authentication.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-37415https://www.manageengine.comhttps://www.manageengine.com/products/service-desk/on-premises/readme.html#11302