CVE-2022-40773

Vulnerability

The vulnerability exists in the exportMickeyList action of ManageEngine ServiceDesk Plus MSP (versions before 10609) and SupportCenter Plus (versions before 11025). The issue stems from improper validation of user-supplied data, allowing an authenticated attacker to escalate privileges and access resources normally protected from the user [1][2].

Exploitation

An attacker must have valid low-privilege credentials to the application. By manipulating the URL during the export of requests from the list view, the attacker can trigger the exportMickeyList action to retrieve data that should be restricted [2]. No additional user interaction is required beyond the attacker's own actions [1].

Impact

Successful exploitation leads to unauthorized access to sensitive data, including information from requests that the attacker's account should not be able to view. This constitutes a privilege escalation, resulting in a breach of confidentiality [1][2]. The CVSS score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates high impact on confidentiality, integrity, and availability [1].

Mitigation

ManageEngine released fixed versions: ServiceDesk Plus MSP version 10609 (September 26, 2022) and SupportCenter Plus version 11025 (October 13, 2022) [2]. Customers must upgrade to these versions or later. No workarounds are documented in the available references [1][2].