CVE-2024-27314

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ServiceDesk Plus versions below 14730 Zoho ManageEngine ServiceDesk Plus MSP versions below 14720 Zoho ManageEngine SupportCenter Plus versions below 14720

Description The vulnerability exists in the Custom Actions component of the Zoho ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus software due to inadequate protection of the web page structure. This issue can be exploited by remote attackers to conduct a stored cross-site scripting (XSS) attack, specifically in the Custom Actions menu on the request details. The vulnerability can only be exploited by users with the SDAdmin role.

Recommendations For Zoho ManageEngine ServiceDesk Plus versions below 14730, update to a version above 14730 to resolve the issue. For Zoho ManageEngine ServiceDesk Plus MSP versions below 14720, update to a version above 14720 to resolve the issue. For Zoho ManageEngine SupportCenter Plus versions below 14720, update to a version above 14720 to resolve the issue. As a temporary workaround, consider restricting access to the Custom Actions menu for SDAdmin role users until a patch is available.