Headline
CVE-2022-40773: Security advisory: CVE-2022-32551 - ServiceDesk Plus MSP
Zoho ManageEngine ServiceDesk Plus MSP before 10609 and SupportCenter Plus before 11025 are vulnerable to privilege escalation. This allows users to obtain sensitive data during an export of requests from the list view.
Privilege escalation vulnerability when exporting requests from the request list view
CVE ID : CVE-2022-40773
Product Name
Severity
Affected Version(s)
Fixed Version(s)
Fixed On
ManageEngine ServiceDesk Plus MSP
High
10608 and below
10609
Sept 26, 2022
ManageEngine SupportCenter Plus
High
11024 and below
11025
Oct 13, 2022
Details
Users with lower access privileges are able to access restricted data by manipulating the URL, while exporting requests from the list view.
Impact
Unauthorized access to restricted data.
Solution
Customers must upgrade to version 10609 or above of ManageEngine ServiceDesk Plus MSP and 11025 of ManageEngine SupportCenter Plus.
Steps to upgrade:
ServiceDesk Plus MSP customers can upgrade to version 10609 or above using the appropriate migration path listed here.
SupportCenter Plus customers can upgrade to version 11025 using the appropriate migration path listed here.
Acknowledgements:
Reported by Piotr Bazydlo (@chudypb) of Trend Micro’s Zero Day Initiative.