Hms

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ServiceDesk Plus version 14 **Description** The issue is a cross site scripting (XSS) vulnerability. It affects the purchase component via PO. **Recommendations** For Zoho ManageEngine ServiceDesk Plus version 14, update to a version that fixes this issue. As a temporary workaround, consider restricting access to the purchase component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ServiceDesk Plus version 14 **Description** The issue is related to a cross site scripting (XSS) vulnerability. This vulnerability can be exploited via embedding videos in the language component. **Recommendations** For Zoho ManageEngine ServiceDesk Plus version 14, consider disabling the video embedding feature in the language component until a patch is available. Restrict access to the language component to minimize the risk of exploitation. Avoid using the video embedding feature in the affected version until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Support Center Plus version 11 **Description** The issue is an OS Command injection vulnerability in Support Center Plus via Executor in Action when creating new schedules. **Recommendations** For Support Center Plus version 11, consider disabling the Executor in Action feature when creating new schedules until a patch is available. Restrict access to the schedule creation functionality to minimize the risk of exploitation. Avoid using the vulnerable Executor in Action feature in Support Center Plus version 11 until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ServiceDesk Plus version 14 **Description** The issue is related to a cross site scripting (XSS) vulnerability. It occurs via the comment field when changing the credentials in the Assets. **Recommendations** For Zoho ManageEngine ServiceDesk Plus version 14, consider disabling the comment field when changing credentials in the Assets as a temporary workaround until a patch is available. Restrict access to the Assets module to minimize the risk of exploitation. Avoid using the comment field in the affected area until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ServiceDesk Plus version 13 **Description** The issue is related to a cross site scripting (XSS) vulnerability. This vulnerability exists due to inadequate protection of the web page structure, allowing a remote attacker to conduct an XSS attack. The vulnerability can be exploited via the comment field when adding a new status comment. **Recommendations** For Zoho ManageEngine ServiceDesk Plus version 13, consider disabling the comment field when adding a new status comment as a temporary workaround until a patch is available. Restrict access to this feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.