Multiple vulnerabilities in Zoho ManageEngine ServiceDesk Plus
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2023-23074 CVE-2023-26600 CVE-2023-26601 |
| CWE-ID | CWE-319 CWE-79 CWE-284 CWE-532 CWE-287 CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Zoho ManageEngine ServiceDesk Plus Web applications / Remote management & hosting panels |
| Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Cleartext transmission of sensitive information
EUVDB-ID: #VU71503
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: N/A
CWE-ID:
CWE-319 - Cleartext Transmission of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to software uses insecure communication channel to transmit passwords in backup scheduling. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stored cross-site scripting
EUVDB-ID: #VU71504
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in request life cycle. A remote user can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Stored cross-site scripting
EUVDB-ID: #VU71505
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-23074
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Advanced Portal product tour. A remote user can permanently inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU71507
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-26600
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to improper access restrictions within the generateSQLReport function. A remote user can escalate privileges within the application.
Install updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
https://www.manageengine.com/products/service-desk/CVE-2023-26600.html
https://www.zerodayinitiative.com/advisories/ZDI-23-229/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Inclusion of Sensitive Information in Log Files
EUVDB-ID: #VU71508
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-532 - Information Exposure Through Log Files
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to software stores sensitive information into log files. A local user can read the log files and gain access to sensitive data.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Authentication
EUVDB-ID: #VU71509
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in Two-Factor Authentication login page. A remote attacker can bypass 2FA authentication process and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU71510
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when associating requests from projects. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper access control
EUVDB-ID: #VU71512
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when disassociating requests from projects. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Improper access control
EUVDB-ID: #VU71513
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions when associating projects from requests. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource exhaustion
EUVDB-ID: #VU71514
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:U/U:Green]
CVE-ID: CVE-2023-26601
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources in the images upload feature (ImageUploadServlet). A remote user can upload unlimited number of images, consume all available disk space and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus: 14.0 14000 - 14.1 14103
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14001:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus:14.0:14002:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk/on-premises/readme.html#14104
https://www.manageengine.com/products/service-desk/CVE-2023-26601.html
https://www.zerodayinitiative.com/advisories/ZDI-23-230/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
