PT-2022-25532 · Zoho · Zoho Manageengine Servicedesk Plus+1
Chudypb
+1
·
Published
2022-11-12
·
Updated
2023-08-08
·
CVE-2022-40773
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine ServiceDesk Plus MSP versions prior to 10609
Zoho ManageEngine SupportCenter Plus versions prior to 11025
Description
The issue allows users to obtain sensitive data during an export of requests from the list view, due to a privilege escalation vulnerability. This is related to improper input validation in the exportMickeyList function.
Recommendations
For Zoho ManageEngine ServiceDesk Plus MSP versions prior to 10609, update to version 10609 or later to resolve the issue.
For Zoho ManageEngine SupportCenter Plus versions prior to 11025, update to version 11025 or later to resolve the issue.
As a temporary workaround, consider restricting access to the exportMickeyList function to minimize the risk of exploitation.
Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Servicedesk Plus
Zoho Manageengine Supportcenter Plus