PT-2011-12: Information Disclosure in ManageEngine ServiceDesk Plus 8.0
ManageEngine ServiceDesk Plus
Version: 8.0 (8019) and earlier
Severity level: Medium
Impact: Application Database Access
Access Vector: Network exploitable
Base Score: 6.3
CVE: not assigned
ManageEngine ServiceDesk Plus is a technical support and assests management system.
Positive Research Center has discovered an information disclosure in ManageEngine ServiceDesk Plus.
Incorrect privilege validation allows attackers with guest privileges (account guest/guest) to modify backup rights and use these new rights to create a backup copy in any folder.
How to fix
Update your software up to the latest version
24.06.2011 - Vendor is notified
28.06.2011 - Vendor gets vulnerability details
29.11.2011 - Vendor releases fixed version and details
27.01.2012 - Public disclosure
The vulnerability was discovered by Alexander Zaitsev, Positive Research Center (Positive Technologies Company)
Reports on the vulnerabilities previously discovered by Positive Research: