CVE-2023-26600

Name of the Vulnerable Software and Affected Versions ManageEngine ServiceDesk Plus versions 14104 and earlier ManageEngine ServiceDesk Plus MSP versions 14000 and earlier ManageEngine Support Center Plus versions 14000 and earlier ManageEngine Asset Explorer versions 6987 and earlier

Description The issue is related to a privilege escalation vulnerability via query reports. It is associated with inadequate access control in the generateSQLReport() function of the affected software. This vulnerability can be exploited by a remote attacker to elevate their privileges.

Recommendations For ManageEngine ServiceDesk Plus versions 14104 and earlier, consider disabling the generateSQLReport() function as a temporary workaround until a patch is available. For ManageEngine ServiceDesk Plus MSP versions 14000 and earlier, restrict access to query reports to minimize the risk of exploitation. For ManageEngine Support Center Plus versions 14000 and earlier, avoid using the query reports feature until the issue is resolved. For ManageEngine Asset Explorer versions 6987 and earlier, limit the use of the generateSQLReport() function to prevent potential attacks.