Security advisory

ServiceDesk Plus - MSP Support Portal Home » Helpdesk Software Features

Privilege escalation vulnerability in query reports

CVE ID : CVE-2022-40772

Product Name Severity Affected Version(s) Fixed Version(s) Fixed On
ManageEngine ServiceDesk Plus MSP High 10608 and below 10609 Sept 26, 2022
ManageEngine SupportCenter Plus High 11024 and below 11025 Oct 13, 2022

Details

The vulnerability allows an adversary to access restricted data in the Postgres database setup, by using a specific PostgreSQL function in the query which enables bypassing the validation mechanism.

Impact

Users who have access to query reports can access restricted data.

Solution

Customers must upgrade to version 10609 or above of ManageEngine ServiceDesk Plus MSP and 11025 of ManageEngine SupportCenter Plus.

Steps to upgrade:

ServiceDesk Plus MSP customers can upgrade to version 10609 or above using the appropriate migration path listed here.

SupportCenter Plus customers can upgrade to version 11025 using the appropriate migration path listed here.

Acknowledgements:

Reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.