PT-2011-10: Abritrary Files Loading in ManageEngine ServiceDesk Plus 8.0

Vulnerable software

ManageEngine ServiceDesk Plus
Version: 8.0 and earlier

Application link:

Severity level

Severity level: High
Impact: Arbitrary Code Execution
Access Vector: Remote  

CVSS v2:
Base Score: 8.5
Vector: (AV:N/AC:M/Au:S/C:C/I:C/A:C)

CVE: not assign

Software description

ManageEngine ServiceDesk Plus is a technical support and assests management system.

Vulnerability description

The specialists of the Positive Research center have detected "Abritrary Files Loading" vulnerability in ManageEngine ServiceDesk Plus.

Insufficient CSV file input filtering in user import script allows attackers with guest privileges (account guest/guest) overwrite an arbitrary file in bin folder in ServiceDesk application via TP POST request. This vulnerability allows attackers to overwrite the script that starts and stops applciations that lead to arbitrary code execution as application is started or stopped.

How to fix

Update your software up to the latest version

Advisory status

24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details
23.04.2012 - Vendor releases fixed version and details
13.09.2012 - Public disclosure


The vulnerability has discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: