CVE ID : CVE-2023-26600
Product Name | Severity | Affected Version(s) | Fixed Version | Fixed On |
---|---|---|---|---|
ServiceDesk Plus | Medium | 14103 and below | 14104 | Jan. 24, 2023 |
ServiceDesk Plus MSP | Medium | 13004 and below | 14000 | Jan. 23, 2023 |
SupportCenter Plus | Medium | 11027 and below | 14000 | Feb. 02, 2023 |
AssetExplorer | Medium | 6987 and below | 6988 | Jan. 24, 2023 |
Details
This vulnerability allows an attacker to gain access to restricted data in a Postgres database system by utilizing a certain PostgreSQL function in the query, allowing the validation process to be bypassed.
Impact
Users who have access to query reports can access restricted data.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Piotr Bazydlo (@chudyPB) of Trend Micro's Zero Day Initiative.
If you have any questions or concerns, please contact product support at the email addresses below.
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com
AssetExplorer: assetexplorer-support@manageengine.com