CVE ID : CVE-2022-40773
| Product Name | Severity | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|---|
| ManageEngine ServiceDesk Plus MSP | High | 10608 and below | 10609 | Sept 26, 2022 |
| ManageEngine SupportCenter Plus | High | 11024 and below | 11025 | Oct 13, 2022 |
Details
Users with lower access privileges are able to access restricted data by manipulating the URL, while exporting requests from the list view.
Impact
Unauthorized access to restricted data.
Solution
Customers must upgrade to version 10609 or above of ManageEngine ServiceDesk Plus MSP and 11025 of ManageEngine SupportCenter Plus.
Steps to upgrade:
ServiceDesk Plus MSP customers can upgrade to version 10609 or above using the appropriate migration path listed here.
SupportCenter Plus customers can upgrade to version 11025 using the appropriate migration path listed here.
Acknowledgements:
Reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.