Local File Inclusion

Vulnerability

An authenticated Local File Inclusion (LFI) vulnerability exists in the Admin module of Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 (specifically version 14910 and earlier). The flaw occurs when help card content is loaded without proper validation of the file path, allowing an authenticated technician to include local files [1].

Exploitation

An attacker must have valid technician credentials to authenticate to the application. Once logged in, they can access the Admin module and manipulate the file path parameter used to load help card content. By supplying a path to a file within the installation folder, the attacker can cause the server to read and include that file in the response [1].

Impact

Successful exploitation allows an authenticated technician to read any file within the web server's installation folder. This can lead to disclosure of sensitive information such as configuration files, credentials, or other proprietary data [1]. The privilege level is that of a technician, and the scope is limited to files in the installation directory.

Mitigation

The vulnerability is fixed in build 14920, which was released on April 10, 2025. Users should upgrade to the latest service pack as provided by the vendor for both ServiceDesk Plus MSP and SupportCenter Plus. No workarounds are mentioned; proper input validation was applied in the fix [1].