CVE ID : CVE-2022-40770
|Product Name||Severity||Affected Version(s)||Fixed Version(s)||Fixed On|
|ServiceDesk Plus||Medium||13010 and below||13011||Sept. 27, 2022|
|ServiceDesk Plus MSP||Medium||10610 and below||13000||Oct 13, 2022|
|SupportCenter Plus||Medium||11025 and below||11026||Oct. 28, 2022|
The input fields needed to configure the Analytics Plus integration with ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus are vulnerable to remote command execution (RCE). Threat actors with admin role access can add malicious commands or scripts to these input fields during the setup of the integration and execute them.
This vulnerability allows a threat actor with admin role access to execute arbitrary commands and carry out any subsequent attacks.
Steps to upgrade
This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.
If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.
ServiceDesk Plus: firstname.lastname@example.org
ServiceDesk Plus MSP: email@example.com
SupportCenter Plus: firstname.lastname@example.org