Stored XSS

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the task feature of Zohocorp ManageEngine ServiceDesk Plus versions below 14920, and ServiceDesk Plus MSP and SupportCentre Plus versions below 14910 [1]. An authenticated technician can upload a malicious HTML file during task creation, and the payload is executed when other users (technicians, administrators, or SDAdmins) interact with the file [1].

Exploitation

An attacker needs valid credentials with add or edit access to tasks in the affected products [1]. The attacker uploads a crafted HTML file as an attachment while creating or editing a task. No additional user interaction is required for the upload, but the stored payload triggers when another user views or accesses the attached file [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's session [1]. This can lead to information disclosure, session hijacking, or further attacks within the application. The attacker's privilege level is that of the authenticated user who interacts with the malicious file.

Mitigation

The vulnerability is fixed in ServiceDesk Plus version 14920 (released Dec 9, 2024), ServiceDesk Plus MSP version 14910 (released Feb 25, 2025), and SupportCentre Plus version 14910 (released Feb 25, 2025) [1]. Users should upgrade to the latest service pack from the vendor's download links [1]. No workarounds are provided by the vendor.