Abstract Advisory Information
Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
Author: Dominique Righetto
Version affected
Name: ServiceDesk Plus MSP
Version: 10.5 Build 10517 – Edition MSPEnterprise.Common Vulnerability Scoring System
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Patches
Version 10522 (10.5.2.1), link in the references
References
- https://www.manageengine.com/products/service-desk-msp/
- https://www.manageengine.com/products/service-desk-msp/readme.html#10521
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-31531
Vulnerability Disclosure Timeline
- 27/03/2021: Vulnerability discovery
- 29/03/2021: Vulnerability Report to CERT-XLM
- 06/04/2021: Vulnerability Report to Zoho on Bugbounty Plateform
- 12/04/2021: Zoho acknowledgment
- 22/04/2021: Zoho Regestered CVE IDs to Mitre
- 19/07/2021: Vulnerability disclosure