CVE ID : CVE-2025-3444
| Product Name | Severity | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|---|
| ServiceDesk Plus MSP | Medium | 14910 | 14920 | Apr 10, 2025 |
| SupportCenter Plus | Medium | 14910 | 14920 | Apr 10, 2025 |
Details
An Authenticated Local File Inclusion (LFI) vulnerability exists in the Admin module, where help card content is loaded without proper validation. This allows authenticated technicians to read local files from the installation.
Impact
Technicians could read any file added to the installation folder from the web server.
How was it resolved?
The issue was resolved by validating the file path.
Steps to upgrade:
1. Download the latest service pack from the following link:
2. Apply the latest build to your existing product installation as per the service pack instructions provided in the above link.
Acknowledgements:
This vulnerability was reported by Esther through our bug bounty portal.
If you have any questions or concerns, please contact our product support at the below-mentioned email address.
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com