CVE-2015-1480

ZOHO ManageEngine ServiceDesk Plus <9.0 build 9031 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1480. PoCs published by Rewterz - Research Group.

AI-analyzed exploit summary This advisory describes an improper privilege management vulnerability in ManageEngine ServiceDesk Plus, allowing low-privileged users to access administrative data. The PoC includes URLs demonstrating unauthorized access to ticket data and reports.

Description

ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp.

Exploits (1)

exploitdb WRITEUP

by Rewterz - Research Group · textwebappsjsp

https://www.exploit-db.com/exploits/35904

View Code ZIP pw:eip

This advisory describes an improper privilege management vulnerability in ManageEngine ServiceDesk Plus, allowing low-privileged users to access administrative data. The PoC includes URLs demonstrating unauthorized access to ticket data and reports.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine ServiceDesk Plus 9.0

Auth required

Prerequisites: Valid low-privileged user credentials

MITRE ATT&CK