Security advisory

Stored XSS vulnerability in request module

CVE ID : CVE-2024-41150

Product Name Severity Affected Version(s) Fixed Version(s) Fixed On
ServiceDesk Plus Medium 14810 and below 14820 Jul. 19, 2024
ServiceDesk Plus MSP Medium 14800 and below 14810 Aug. 20, 2024
SupportCenter Plus Medium 14800 and below 14810 Aug. 20, 2024

Details

A stored cross-site scripting (XSS) vulnerability allowed users to inject malicious JavaScript while creating a new request. This script would be executed whenever a user opens the request details page.

Impact

Threat actors with access to the request module can exploit this vulnerability to carry out additional attacks.

How was it resolved?

We resolved the issue by encoding data during client-side rendering, preventing the execution of JavaScript.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective products:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements

This vulnerability was reported by Muhammed Mekkawy in our Bug Bounty portal.

If you have any questions or concerns, please contact product support at the email addresses below:

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP: support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com

Let's support faster, easier, and together
Sign up(Cloud) Download(On-Premise) Request a free demo