ManageEngine ServiceDesk is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the web server process. Information obtained may aid in further attacks.
ManageEngine ServiceDesk 9.3.9328 is vulnerable; other versions may also be affected.
Information
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
References:
- [R1] ManageEngine ServiceDesk Multiple Vulnerabilties (Tenable)
- ManageEngine Homepage (ManageEngine)