Unauthenticated Local File Disclosure in Zoho ManageEngine ServiceDesk Plus and SupportCenter Plus
CVE-2022-35403

7.5HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Servicedesk Plus
Vendor: CVE Published:; 12 July 2022

What is CVE-2022-35403?

The issue allows unauthorized users to exploit an unauthenticated local file disclosure vulnerability through the ticket-creation email in Zoho ManageEngine ServiceDesk Plus and SupportCenter Plus. This flaw can potentially expose sensitive information stored on the server, posing a significant risk to the integrity and confidentiality of the data. Users should ensure they are operating on the latest versions of these products to mitigate potential security risks.

References

https://www.manageengine.com/products/service-desk/cve-20...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 12, 2022
Vulnerability Reserved
Jul 8, 2022

Zohocorp

What is CVE-2022-35403?

References

CVSS V3.1

Timeline