CVE-2019-15083

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ServiceDesk Plus version 10.0 before 10500

Description The issue allows a local administrator to inject malicious code into the installed program names of a computer, which can then be executed on the ManageEngine ServiceDesk administrator side when the administrator views the "Asset Home > Server > > software" page. This page displays all installed program names in the Software column, providing a vector for the local administrator to execute code. A remote attacker can exploit this to inject malicious code, which will be executed when the ManageEngine administrator visualizes this page.

Recommendations For Zoho ManageEngine ServiceDesk Plus version 10.0 before 10500, update to a version 10500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Asset Home > Server > > software" page until the update is applied. Additionally, restrict the ability of local administrators to modify installed program names to minimize the risk of exploitation.