CVE-2015-1480

Name of the Vulnerable Software and Affected Versions ManageEngine ServiceDesk Plus versions prior to 9.0 build 9031

Description The issue allows remote authenticated users to obtain sensitive ticket information. This can be achieved through various means, including a getTicketData action to the "servlet/AJaxServlet" endpoint, or direct requests to the "swf/flashreport.swf", "reports/flash/details.jsp", or "reports/CreateReportTable.jsp" endpoints.

Recommendations For versions prior to 9.0 build 9031, update to version 9.0 build 9031 or later to resolve the issue. As a temporary workaround, consider restricting access to the "servlet/AJaxServlet" endpoint and the "swf/flashreport.swf", "reports/flash/details.jsp", and "reports/CreateReportTable.jsp" pages to minimize the risk of exploitation.