Security advisory

Local file disclosure vulnerability

CVE ID: CVE-2022-35403

Product Name Severity Affected Version(s) Fixed Version Fixed On
ServiceDesk Plus High 13007 and below 13008 July 7, 2022
ServiceDesk Plus MSP High 10605 and below 10606 July 11, 2022
SupportCenter Plus High 11021 and below 11022 July 11, 2022
AssetExplorer Medium 6976 and below 6977 July 7, 2022

Details

This file disclosure vulnerability allows non-login users to download local files from the ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus server machines by sending a crafted email for ticket creation. The same vulnerability affects AssetExplorer too which falls under medium severity since it needs authentication to exploit.

We fixed this issue by adding additional checks to process the email content to avoid the local file disclosure vulnerability in ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus and AssetExplorer.

Impact

This vulnerability allows non-login users to download local files from the server machine.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please follow the forum post for the respective products as mentioned below for any further updates regarding this vulnerability:

ServiceDesk Plus | ServiceDesk Plus MSP | SupportCenter Plus | AssetExplorer

Acknowledgements

This issue was reported by our internal security team on our bug bounty portal.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com

AssetExplorer: assetexplorer-support@manageengine.com

Let's support faster, easier, and together