Session Fixation

CVE-2019-10008

High

8.8/10

Summary

Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login attempt within a different browser tab.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-384 - Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

References

Advisory Timeline

Published Apr 24, 2019

Session Fixation

CVE-2019-10008

Summary

CWE-384 - Session Fixation

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS