CVE ID: CVE-2022-35403
| Product Name | Severity | Affected Version(s) | Fixed Version | Fixed On |
|---|---|---|---|---|
| ServiceDesk Plus | High | 13007 and below | 13008 | July 7, 2022 |
| ServiceDesk Plus MSP | High | 10605 and below | 10606 | July 11, 2022 |
| SupportCenter Plus | High | 11021 and below | 11022 | July 11, 2022 |
| AssetExplorer | Medium | 6976 and below | 6977 | July 7, 2022 |
Details
This file disclosure vulnerability allows non-login users to download local files from the ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus server machines by sending a crafted email for ticket creation. The same vulnerability affects AssetExplorer too which falls under medium severity since it needs authentication to exploit.
We fixed this issue by adding additional checks to process the email content to avoid the local file disclosure vulnerability in ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus and AssetExplorer.
Impact
This vulnerability allows non-login users to download local files from the server machine.
Steps to upgrade
- Download the latest upgrade pack from the following links for the respective product:
- ServiceDesk Plus – https://www.manageengine.com/products/service-desk/on-premises/migration-sequence.html
- ServiceDesk Plus MSP – https://www.manageengine.com/products/service-desk-msp/service-packs-hotfix.html
- SupportCenter Plus – https://www.manageengine.com/products/support-center/service-packs.html
- AssetExplorer – https://www.manageengine.com/products/asset-explorer/service-packs.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.
Please follow the forum post for the respective products as mentioned below for any further updates regarding this vulnerability:
ServiceDesk Plus | ServiceDesk Plus MSP | SupportCenter Plus | AssetExplorer
Acknowledgements
This issue was reported by ManageEngine’s internal security team on our bug bounty portal.
If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com
AssetExplorer: assetexplorer-support@manageengine.com
Important note: As always, make a copy of the entire application installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you are using an MS SQL Server as a back-end database, back up the application database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
This article is relevant to:
ManageEngineSecurity AdvisoryService DeskOther recent articles in the same category
You may be interested in these other recent articles
Unmerging Requests in ServiceDesk Plus Cloud: Analysis
10 December 2024
Managing helpdesk systems like ServiceDesk Plus Cloud often brings complex scenarios that require in-depth analysis and tailored solutions. Recently, Set3 Solutions, the award-winning UK technology…
Read moreLatest Updates for ManageEngine ServiceDesk Plus On-Premise
9 December 2024
Discover the latest ServiceDesk Plus updates, including new features, fixes, and enhancements.
Read moreLatest Updates for ManageEngine ServiceDesk Plus Cloud
6 December 2024
Discover the latest ServiceDesk Plus Cloud updates, including new features, fixes, and enhancements.
Read moreLatest Updates for ManageEngine Endpoint Central
5 December 2024
Discover the latest Endpoint Central updates, including new features, fixes, and enhancements.
Read moreImprove Endpoint Security with Endpoint Central: Key Features and Benefits
28 November 2024
Endpoint Central (formerly Desktop Central) has undergone a name change and introduced Endpoint Security to help organisations better safeguard their endpoints. According to a study…
Read more