Security advisory

Non-login users can extract vendor currency details

Severity : Low

CVE ID : CVE-2022-25245

Product Name Affected Version(s) Fixed Version(s) Fixed On
ServiceDesk Plus 13000 and below 13001 March 9, 2022
AssetExplorer 6970 and below 6971 March 9, 2022


Using the approval login URL, which is used to approve purchase details without a login to the application, non-login users are able to extract vendor currency details.


Users can extract all vendor currency details without logging in to the application.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.


This issue was reported by Matt on our bug bounty portal.

Please contact the product support for further details at the below mentioned email addresses:

ServiceDesk Plus:


For assistance, call us toll-free at +1.888.720.9500

Let's support faster, easier, and together