Headline

CVE-2022-35403: ManageEngine security advisory

Zoho ManageEngine ServiceDesk Plus before 13008, ServiceDesk Plus MSP before 10606, and SupportCenter Plus before 11022 are affected by an unauthenticated local file disclosure vulnerability via ticket-creation email. (This also affects Asset Explorer before 6977 with authentication.)

2 years ago

CVE

Open in Source

#vulnerability #mac #auth

Local file disclosure vulnerability

CVE ID: CVE-2022-35403

Product Name

Severity

Affected Version(s)

Fixed Version

Fixed On

ServiceDesk Plus

High

13007 and below

13008

July 7, 2022

ServiceDesk Plus MSP

High

10605 and below

10606

July 11, 2022

SupportCenter Plus

High

11021 and below

11022

July 11, 2022

AssetExplorer

Medium

6976 and below

6977

July 7, 2022

Details

This file disclosure vulnerability allows non-login users to download local files from the ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus server machines by sending a crafted email for ticket creation. The same vulnerability affects AssetExplorer too which falls under medium severity since it needs authentication to exploit.

We fixed this issue by adding additional checks to process the email content to avoid the local file disclosure vulnerability in ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus and AssetExplorer.

Impact

This vulnerability allows non-login users to download local files from the server machine.

Steps to upgrade

Download the latest upgrade pack from the following links for the respective product:
- ServiceDesk Plus - https://www.manageengine.com/products/service-desk/on-premises/migration-sequence.html
- ServiceDesk Plus MSP - https://www.manageengine.com/products/service-desk-msp/service-packs-hotfix.html
- SupportCenter Plus - https://www.manageengine.com/products/support-center/service-packs.html
- AssetExplorer - https://www.manageengine.com/products/asset-explorer/service-packs.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please follow the forum post for the respective products as mentioned below for any further updates regarding this vulnerability:

ServiceDesk Plus | ServiceDesk Plus MSP | SupportCenter Plus | AssetExplorer

Acknowledgements

This issue was reported by our internal security team on our bug bounty portal.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus: [email protected]

ServiceDesk Plus MSP [email protected]

SupportCenter Plus: [email protected]

AssetExplorer: [email protected]

Zoho ManageEngine Asset Explorer 6.5 does not validate the System Center Configuration Manager (SCCM) database username when dynamically generating a command to schedule scans for SCCM. This allows an attacker to execute arbitrary commands on the AssetExplorer Server with NT AUTHORITY/SYSTEM privileges.