Security advisory

RCE vulnerability when integrating with Analytics Plus.

CVE ID : CVE-2022-40770

Product Name Severity Affected Version(s) Fixed Version(s) Fixed On
ServiceDesk Plus Medium 13010 and below 13011 Sept. 27, 2022
ServiceDesk Plus MSP Medium 10610 and below 13000 Oct 13, 2022
SupportCenter Plus Medium 11025 and below 11026 Oct. 28, 2022

Details

The input fields needed to configure the Analytics Plus integration with ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus are vulnerable to remote command execution (RCE). Threat actors with admin role access can add malicious commands or scripts to these input fields during the setup of the integration and execute them.

Impact

This vulnerability allows a threat actor with admin role access to execute arbitrary commands and carry out any subsequent attacks.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements

This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP: support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com

Let's support faster, easier, and together