Security advisory

ServiceDesk Plus - MSP Support Portal Home » Helpdesk Software Features

Stored XSS vulnerability in Time Sheets

Severity : Medium

CVE ID : CVE-2023-49943

Product Name Affected Version(s) Fixed Version(s) Fixed On
ServiceDesk Plus MSP 14503 and below 14504 Nov. 01, 2023

Details

This vulnerability enables a low-privileged technician to inject a malicious JavaScript into the task's name when creating a time sheet. When the target user attempts to open the task from the "Request/Project/Change/Task" column on the time sheet details page, the JavaScript gets executed.

Impact

The vulnerability can be exploited by threat actors to perform further attacks.

How was it resolved?

We fixed the issue by encoding data during client rendering to prevent JavaScript from being executed.

Steps to upgrade

  • Download the latest upgrade pack.
  • Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above link.

Acknowledgements

This vulnerability was reported by l0c4l_h05t.

If you have any questions or concerns, please contact us at support@servicedeskplusmsp.com.