Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2022-40772 CVE-2022-40773 |
CWE-ID | CWE-264 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Zoho ManageEngine ServiceDesk Plus MSP Server applications / Other server solutions Zoho ManageEngine SupportCenter Plus Server applications / Conferencing, Collaboration and VoIP solutions |
Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU69872
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40772
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the generateSQLReport function, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus MSP: 8000 - 10608
Zoho ManageEngine SupportCenter Plus: 11000 - 11024
External linkshttp://manageengine.com
http://www.manageengine.com/products/service-desk-msp/cve-2022-40772.html
http://www.zerodayinitiative.com/advisories/ZDI-22-1613/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU69880
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-40773
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the exportMickeyList action, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus MSP: 8000 - 10608
Zoho ManageEngine SupportCenter Plus: 11000 - 11024
External linkshttp://www.manageengine.com/products/service-desk-msp/cve-2022-40773.html
http://www.zerodayinitiative.com/advisories/ZDI-22-1490/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.