SecuriTricks - CVE-2024-41150

Description

An Stored Cross-site Scripting vulnerability in request module affects Zohocorp ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus.This issue affects ServiceDesk Plus versions: through 14810; ServiceDesk Plus MSP: through 14800; SupportCenter Plus: through 14800.

Product(s) Impacted

Vendor	Product	Versions
Zohocorp	Manageengine Servicedesk Plus Manageengine Servicedesk Plus Msp Manageengine Supportcenter Plus	, 14.8 , 14.8 *, 14.8

Weaknesses

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	zohocorp	manageengine_servicedesk_plus	/	/	/	/	/	/	/	/
a	zohocorp	manageengine_servicedesk_plus	14.8	14810	/	/	/	/	/	/
a	zohocorp	manageengine_servicedesk_plus_msp	/	/	/	/	/	/	/	/
a	zohocorp	manageengine_servicedesk_plus_msp	14.8	14800	/	/	/	/	/	/
a	zohocorp	manageengine_supportcenter_plus	/	/	/	/	/	/	/	/
a	zohocorp	manageengine_supportcenter_plus	14.8	14800	/	/	/	/	/	/

References

https://www.manageengine.com/products/service-desk/CVE-2024-41150.html

CVSS Score

6.1 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Date

Published: Aug. 23, 2024, 3:15 p.m.
Last Modified: Aug. 27, 2024, 2:35 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

0fc0942c-577d-436f-ae8e-945763c79b02

CVE-2024-41150