Matias Blanco

**Name of the Vulnerable Software and Affected Versions** ManageEngine ServiceDesk Plus (SDP) versions 8012 and earlier **Description** The issue concerns the encryption of passwords in cookies. It is related to the `encryptPassword` function in Login.js, which uses a Caesar cipher for encryption. This makes it easier for remote attackers to obtain sensitive information by sniffing the network. **Recommendations** For ManageEngine ServiceDesk Plus (SDP) versions 8012 and earlier, as a temporary workaround, consider disabling the `encryptPassword` function in Login.js until a proper encryption method is implemented. Restrict access to sensitive information and network traffic to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ManageEngine ServiceDesk Plus (SDP) versions prior to 8012 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `searchText` parameter in the "SolutionSearch.do" endpoint. **Recommendations** For versions prior to 8012, update to version 8012 or later to resolve the issue. As a temporary workaround, consider restricting access to the SolutionSearch.do endpoint to minimize the risk of exploitation. Avoid using the `searchText` parameter in the affected endpoint until the issue is resolved.