CVE-2019-10008

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ServiceDesk version 9.3

Description: The issue allows session hijacking and privilege escalation. This occurs when an established guest session is automatically converted into an established administrator session. The conversion happens when the guest user enters the administrator username, along with an arbitrary incorrect password, in a login attempt within a different browser tab. This is done through the mc/ login endpoint.

Recommendations: For Zoho ManageEngine ServiceDesk version 9.3, as a temporary workaround, consider restricting access to the mc/ login endpoint to minimize the risk of exploitation. Additionally, restrict the ability of guest users to enter administrator usernames in login attempts to prevent session hijacking and privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.