CVE-2019-12252

MEDIUM

Zoho ManageEngine ServiceDesk Plus <10.5 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-12252. PoCs published by Vingroup.

AI-analyzed exploit summary This exploit describes an incorrect access control vulnerability in Zoho ManageEngine ServiceDesk Plus < 10.5, allowing guest users to view arbitrary posts by manipulating the URL. No executable code is provided.

Description

In Zoho ManageEngine ServiceDesk Plus through 10.5, users with the lowest privileges (guest) can view an arbitrary post by appending its number to the SDNotify.do?notifyModule=Solution&mode=E-Mail&notifyTo=SOLFORWARD&id= substring.

Exploits (1)

exploitdb WRITEUP
by Vingroup · textwebappsmultiple
https://www.exploit-db.com/exploits/46894

This exploit describes an incorrect access control vulnerability in Zoho ManageEngine ServiceDesk Plus < 10.5, allowing guest users to view arbitrary posts by manipulating the URL. No executable code is provided.

Classification
Writeup 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus < 10.5
No auth needed
Prerequisites: Access to the target application URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_misc
https://github.com/tuyenhva/CVE-2019-12252
Broken Link vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108456

Scores

CVSS v3 6.5
EPSS 0.0836
EPSS Percentile 94.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-639
Status published
Products (1)
zohocorp/manageengine_servicedesk_plus < 10.5
Published May 21, 2019
Tracked Since Feb 18, 2026