CVE ID : CVE-2022-40771
Product Name | Severity | Affected Version(s) | Fixed Version(s) | Fixed On |
---|---|---|---|---|
ServiceDesk Plus | Medium | 14000 and below | 14001 | Oct. 14, 2022 |
ServiceDesk Plus MSP | Medium | 13000 and below | 13001 | Oct. 27, 2022 |
SupportCenter Plus | Medium | 11025 and below | 11026 | Oct. 28, 2022 |
AssetExplorer | Medium | 6980 | 6981 | Oct. 13, 2022 |
Details
ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus, and AssetExplorer are vulnerable to XML external entity (XXE) injection using a malicious server when integrating with Analytics Plus.
Impact
Threat actors with admin role access can retrieve local files from the server running the affected products.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.
If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com
AssetExplorer: assetexplorer-support@manageengine.com