CVE ID : CVE-2022-40771
|Product Name||Severity||Affected Version(s)||Fixed Version(s)||Fixed On|
|ServiceDesk Plus||Medium||14000 and below||14001||Oct. 14, 2022|
|ServiceDesk Plus MSP||Medium||13000 and below||13001||Oct. 27, 2022|
|SupportCenter Plus||Medium||11025 and below||11026||Oct. 28, 2022|
|AssetExplorer||Medium||6980||6981||Oct. 13, 2022|
ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus, and AssetExplorer are vulnerable to XML external entity (XXE) injection using a malicious server when integrating with Analytics Plus.
Threat actors with admin role access can retrieve local files from the server running the affected products.
Steps to upgrade
This vulnerability was reported by Piotr Bazydlo (@chudypb) of Trend Micro's Zero Day Initiative.
If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.
ServiceDesk Plus: email@example.com
ServiceDesk Plus MSP: firstname.lastname@example.org
SupportCenter Plus: email@example.com