Severity : Medium
CVE ID : CVE-2023-49943
Product Name | Affected Version(s) | Fixed Version(s) | Fixed On |
---|---|---|---|
ServiceDesk Plus MSP | 14503 and below | 14504 | Nov. 01, 2023 |
Details
This vulnerability enables a low-privileged technician to inject a malicious JavaScript into the task's name when creating a time sheet. When the target user attempts to open the task from the "Request/Project/Change/Task" column on the time sheet details page, the JavaScript gets executed.
Impact
The vulnerability can be exploited by threat actors to perform further attacks.
How was it resolved?
We fixed the issue by encoding data during client rendering to prevent JavaScript from being executed.
Steps to upgrade
Acknowledgements
This vulnerability was reported by l0c4l_h05t.
If you have any questions or concerns, please contact us at support@servicedeskplusmsp.com.