Severity: Low
CVE ID : CVE-2023-23076
| Product Name | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|
| SupportCenter Plus | 11027 and older | 14000 | Feb. 2, 2023 |
Details
An OS command injection vulnerability allows a user with the admin role to inject and run OS commands in the target server.
Impact
The vulnerability can be exploited by threat actors to run arbitrary commands and initiate further attacks.
How have we fixed it?
We have changed the way OS commands are input and script executions are configured in the application by uploading them in specific folders and pulling them in using a TXT file.
Solution:
Customers must upgrade to the latest version of ManageEngine SupportCenter Plus.
Steps to upgrade:
1. Download the latest upgrade pack from this link.
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above link.
Acknowledgements:
This vulnerability was reported by HMs on our bug bounty portal.
If you have any questions or concerns, please contact product support for further details at support@supportcenterplus.com