Vulnerability Details : CVE-2019-8394
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8394 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Zoho ManageEngine ServiceDesk Plus (SDP) File Upload Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Zoho ManageEngine ServiceDesk Plus (SDP) contains an unspecified vulnerability that allows remote users to upload files via login page customization.
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2019-8394
Probability of exploitation activity in the next 30 days: 96.69%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-8394
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST |
|
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-8394
-
The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-8394
-
http://www.securityfocus.com/bid/107129
Zoho ManageEngine ServiceDesk Plus CVE-2019-8394 Arbitrary File Upload VulnerabilityThird Party Advisory;VDB Entry
-
https://www.manageengine.com/products/service-desk/readme.html
Readme | Hotfix & updates | ManageEngine ServiceDesk PlusRelease Notes;Vendor Advisory
-
https://www.exploit-db.com/exploits/46413/
Zoho ManageEngine ServiceDesk Plus (SDP) < 10.0 build 10012 - Arbitrary File UploadExploit;VDB Entry;Third Party Advisory
Products affected by CVE-2019-8394
- cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:*:*:*:*:*:*:*:*