ManageEngine Service Desk Plus 10.0 Privilaged account Hijacking# CVE-2019-10008
## ManageEngine Service Desk Plus 9.3 Privilaged account Hijacking
**Date: 30-03-2019**
**Exploit Author: Ata Hakçıl, Melih Kaan Yıldız**
**Vendor: ManageEngine**
**Vendor Homepage: www.manageengine.com**
**Product: Service Desk Plus**
**Version: 10.0**
**Tested On: Windows 10 64 bit**
**CVE : 2019-10008**
# Complete Poc will be re-released after vendor patch.
## More Info:
https://flameofignis.com/en/vuln/CVE-2019-10008
https://www.youtube.com/watch?v=fCea6yRkkSQ
## Details
A security vulnerability was discovered on Service Desk Plus 9.3
It is caused by how session cookies are handled, and causes an attacker with any valid credentials to authenticate as another user without password.
### How to use
Change the host, low_username, low_password and high_username variables depending on what you have.
Low username and password is an account you have access to. high_username is account you want to authenticate as.
After running the script, it will output you the cookies that you can set on your browser to login to the high_username without password.
**Run this script on a Linux OS.**
[4.0K] /data/pocs/997d9989929165173b6f48102a44513e35402d4b
├── [6.9K] exploit.py
└── [1.1K] README.md
0 directories, 2 files