A privilege escalation vulnerability caused by insecure regex in URL paths has been fixed in ServiceDesk Plus version 15110. For more details and steps to upgrade to the latest version, please refer to the associated security advisory.
A stored XSS vulnerability in the Add Task form has been fixed in ServiceDesk Plus version 14920. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability has been fixed in ServiceDesk Plus version 14820. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the custom menu on the request details page has been fixed in ServiceDesk Plus version 14730, ServiceDesk Plus MSP version 14720, and SupportCenter Plus version 14720. Please refer to this security advisory to learn more and to upgrade to the latest versions of these products.
A privilege escalation vulnerability in the Release module allowed unprivileged users to access the Reminders of a release ticket and modify it. Please refer to this security advisory to learn more and to upgrade to the latest version.
A XXE vulnerability in the Reports integration has been fixed in ServiceDesk Plus version 14105. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus version 14104. Please refer to this security advisory to learn more and to upgrade to the latest version.
A Denial of Service vulnerability is fixed in ServiceDesk Plus version 14104. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the asset details page has been fixed in ServiceDesk Plus version 14103. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the Advanced Portal product tour has been fixed in ServiceDesk Plus version 14104. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the associate Service Requests list view on the Purchase Order details page has been fixed in ServiceDesk Plus version 14103. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the Release Details page has been fixed in ServiceDesk Plus version 14004. Please refer to this security advisory to learn more and to upgrade to the latest version.
An RCE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus version 13011. Please refer to this security advisory to learn more and to upgrade to the latest version.
An XXE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus version 14001. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus version 14001. Please refer to this security advisory to learn more and to upgrade to the latest version.
An unauthenticated local file disclosure vulnerability that allows non-login users to download files has been fixed in version 13008. Please refer to this security advisory to learn more and upgrade to the latest version.
[CVE-2022-25245] Non-login users can extract vendor currency details. Please visit this link for more information.
This security advisory addresses two authentication bypass vulnerabilities that affect ServiceDesk Plus versions up to 12002 [CVE-2021-44526] and ServiceDesk Plus customers who use the Endpoint Central (formerly Desktop Central) agent for asset discovery [CVE-2021-44515].
Important note : If you are a customer of the Professional or Enterprise edition of ServiceDesk Plus who uses the Endpoint Central (formerly Desktop Central) agent for asset discovery, follow the steps outlined in the advisories for both CVE-2021-44526 and CVE-2021-44515.
If you are a customer of ServiceDesk Plus who does not use the Endpoint Central (formerly Desktop Central) agent, please only follow the steps outlined in the advisory for CVE-2021-44526, explained in this email.
CVE-2021-44515 affects customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Endpoint Central (formerly Desktop Central) agent for asset discovery, and can lead to a remote code execution attack. We strongly urge customers who use the Endpoint Central (formerly Desktop Central) agent to refer to this security advisory for more information and the steps to upgrade Endpoint Central (formerly Desktop Central) to the latest version.
CVE-2021-44526 affects customers using all editions of the on-premises version of ServiceDesk Plus versions 12002 and below, irrespective of whether they use the Endpoint Central (formerly Desktop Central) agent, and we strongly urge all customers to upgrade to the latest version of ServiceDesk Plus immediately. This vulnerability does not affect ServiceDesk Plus Cloud versions.
The rest of the advisory will be focused on CVE-2021-44526, an authentication bypass vulnerability in ServiceDesk Plus versions up to 12002.
This vulnerability can allow an adversary to bypass authentication and access Templates' field and form rules, Technician Auto Assign settings, the Asset Field's Allowed Values, Translation and Change SLA configurations, the Assets associated to a user, and role details from Change Templates, as well as reorder the Service Catalog.
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions up to 12002.
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 12002 and below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (12003) using the appropriate migration path.
Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed here.
Customers of the Professional and Enterprise editions of ServiceDesk Plus who use the Endpoint Central (formerly Desktop Central) agent for asset discovery can refer to this security advisory for information on upgrading Endpoint Central (formerly Desktop Central).
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This security advisory addresses an unauthenticated remote code execution (RCE) vulnerability affecting ServiceDesk Plus versions up to 11305.
This vulnerability was addressed on September 16, 2021 in versions 11306 and above, and an advisory was published as well.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately.
This vulnerability does not affect ServiceDesk Plus Cloud versions.
This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
A security misconfiguration in ServiceDesk Plus led to the vulnerability.
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11305 and below.
The vulnerability has been addressed by properly configuring the security configuration and removing the unused URL in versions 11306 and above.
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (12001) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com
This is a security advisory regarding an insufficient authentication and authorization handling vulnerability (CVE-2021-37414) in ManageEngine Endpoint Central (formerly Desktop Central), reported by an external security researcher via our bug bounty program.
Who is affected?:
This vulnerability affects customers of the on-premises version of ServiceDesk Plus (Professional and Enterprise editions) who have installed Endpoint Central (formerly Desktop Central) to leverage the unified agent for asset inventory.
Affected build numbers of Endpoint Central (formerly Desktop Central):
Endpoint Central (formerly Desktop Central) installations with the following build numbers are affected:
10.1.2121.03
10.1.2121.02
10.1.2121.04
10.1.2127.01
Severity: High
What was the problem?
An endpoint was found with insufficient access control in the Endpoint Central (formerly Desktop Central) server, which when exploited could lead to an unauthorized user gaining access to the Endpoint Central (formerly Desktop Central) instance.
How have we fixed the vulnerability?
The vulnerability has been identified and fixed in the latest build of Endpoint Central (formerly Desktop Central). To apply the fix, follow the steps below:
Note: This vulnerability is not applicable to the cloud editions of Endpoint Central (formerly Desktop Central), Patch Manager Plus, and Remote Access Plus.
For further details, please contact support at support@servicedeskplus.com.
Important note: As always, make a copy of the entire Endpoint Central (formerly Desktop Central) installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Endpoint Central (formerly Desktop Central) database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory regarding an authentication bypass vulnerability in a few application URLs in ServiceDesk Plus, which has been identified and rectified.
On-premises users of ServiceDesk Plus (all editions) with versions 11305 and below are affected by this vulnerability and are advised to update to the latest version immediately.
Severity: Critical
This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement.
This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.
The improper security configuration process used in ServiceDesk Plus led to the vulnerability.
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11305 and below.
The vulnerability has been addressed by fixing the security configuration process in the latest version of ServiceDesk Plus.
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 or below, you might be affected.
Customers who fit the above criteria can upgrade to the latest version (11306) using the appropriate migration path.
Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory regarding a possible authentication bypass vulnerability in a few REST API URLs in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus (all editions) with version 11005 and above might be affected by this vulnerability and are advised to update to the latest version (11302) immediately.
Severity: Critical
This vulnerability allows an attacker to gain unauthorized access to the application's data through its API support. This would allow the attacker to gain unauthorized access to user data or aid subsequent attacks.
To do so, an attacker has to manipulate any vulnerable API URL path from the requests or assets module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker.
The security framework layer used in ServiceDesk Plus had an improper URL validation process that led to the vulnerability.
This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11005 and above.
The vulnerability has been addressed by fixing the improper URL validation process in the security framework layer in the latest version of ServiceDesk Plus.
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version (all editions) is 11005 or above, you might be affected.
Customers who fit the above criteria can upgrade to the latest version (11302) using the appropriate migration path here.
Alternatively, customers can also upgrade to the appropriate versions based on their current version; details are listed here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory regarding possible Integer/Heap Overflow - Remote Code Execution (RCE) and Remote Denial of Service vulnerabilities in ServiceDesk Plus, which have been identified and rectified. On-premises users of ServiceDesk Plus (Professional and Enterprise editions) with versions up to 11207 and using the ServiceDesk Plus asset scanning agents might be affected by the vulnerabilities and are advised to update to the latest version (11300) immediately.
Severity: High
The Integer/Heap Overflow - RCE vulnerability allows an attacker to send a new scan request to a listening agent on the network and also receive the agent's HTTP request verifying its authtoken. The agent reaching out over HTTP makes it vulnerable to an integer overflow, which can be turned into a heap overflow if the POST payload response is too large. This allows for RCE as NT AUTHORITY/SYSTEM on the agent machine.
The Remote Denial of Service vulnerability might be exploited to repetitively send commands to the ServiceDesk Plus agent, which listens on port 9000 for incoming commands over HTTPS from the ManageEngine server. While these commands may not be executed, the ServiceDesk Plus agent reaches out to the ManageEngine server for an HTTP request, which results in a memory leak. These memory leaks allow a remote attacker to send commands to the agent repetitively and eventually crash the agent due to an out-of-memory condition.
The Integer/Heap Overflow - RCE vulnerability was caused by the ServiceDesk Plus asset scan agent not validating HTTPS certificates, which allows an attacker on the network to statically configure their IP address to match the ServiceDesk Plus server's IP address.
The Remote Denial of Service vulnerability was caused by HTTPS certificates not being verified, which allows any arbitrary user on the network to send commands over port 9000.
These vulnerabilities affect customers of the Professional and Enterprise editions of ServiceDesk Plus (on-premises) using versions up to 11207 and using the product's asset scanning agents.
Both vulnerabilities have been addressed in ServiceDesk Plus 11300 by adopting the unified agent from Endpoint Central (formerly Desktop Central) for asset discovery. The existing asset scanning agents have been replaced with these unified agents for scanning Windows, Linux, and macOS devices.
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version (Professional and Enterprise editions) is 11207 or below and you are using the asset scanning agent in ServiceDesk Plus, you might be affected.
Customers who fit the above criteria can upgrade to the latest version (11300) using the appropriate migration path here:
https://www.manageengine.com/products/service-desk/on-premises/service-packs.htmlPlease read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory regarding a possible authentication bypass vulnerability in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus version 10511 to 11133 who have enabled SAML authentication are affected by this vulnerability and advised to update to the latest version (11134) immediately.
Severity: High
This vulnerability might be exploited to log in to a ServiceDesk Plus installation with administrative privileges to access information or change service desk configurations, both of which can be used to provide unauthorized access to user data or aid subsequent attacks. To do so, an attacker would need to carry out two steps. First, they would need to enter the credentials of any service desk user's account. Then they would need to alter the parameter 'username' to another username with administrative privileges after SAML validation. This would require the attacker to know three pieces of information: the user credentials of any service desk account, the username of an administrator account, and the domain details.
The security check process used by ServiceDesk Plus to authenticate the username and the user domain post SAML validation had a vulnerability that made it possible to change the parameter 'username' post SAML validation.
This vulnerability could be exploited to log in to a ServiceDesk Plus installation as an administrator.
This vulnerability affects customers of any edition of ServiceDesk Plus (on-premises) using version 10511 to 11133 who have SAML authentication enabled.
This particular vulnerability has been addressed in ServiceDesk Plus 11134 by fixing the security check mechanism such that authentication occurs with the username and domain details stored securely rather than from direct incoming parameters that can be tampered with easily.
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version is between 10511 and 11133 and you are using SAML authentication, you might be affected.
ServiceDesk Plus versions 11100 to 11133
Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (11134).
Please follow this forum post for further updates. Alternatively, you can upgrade to the latest version (11134) using the appropriate migration path here: https://www.manageengine.com/products/service-desk/on-premises/service-packs.html
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory regarding a directory traversal vulnerability (also known as file path traversal) in ServiceDesk Plus, which has been identified and rectified. On-premises users of ServiceDesk Plus versions 11100 to 11105 are affected by this vulnerability and advised to update to the latest version (11106) immediately.
Severity :High
An unauthenticated attacker might be able to access arbitrary files on the server running ServiceDesk Plus, outside the web server's document directory, using a specially crafted URL. This vulnerability might be exploited to access sensitive information to aid in subsequent attacks.
ServiceDesk Plus allows technicians to initiate remote sessions on Windows workstations using the Web Remote capability. This feature is enabled through a third-party tool, RemoteSpark, which is bundled with ServiceDesk Plus.
The use of RemoteSpark's Spark View Version 5.8 (Build 903-928) in ServiceDesk Plus versions 11100 to 11105 led to this vulnerability.
Customers of ServiceDesk Plus (on-premises) using versions 11100 to 11105 across all editions are affected by this vulnerability.
This particular vulnerability has been addressed in ServiceDesk Plus 11106 by migrating to RemoteSpark Spark View Version 5.2(Build 942).RemoteSpark has confirmed with ManageEngine that the issue has been fixed in this version.
Click the Help link in the top-right corner of the ServiceDesk Plus web client. Select the About option from the drop-down to see your current version. If your current version is between 11100 and 11105, you might be affected.
Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (11106). Please read the upgradeinstructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused.If you have any questions or concerns, please reach out to us at support@servicedeskplus.com.
Best regards,
Umashankar
ManageEngine ServiceDesk Plus
This is a security advisory for ServiceDesk Plus customers using versions 9328 or earlier. We recommend that you upgrade to the latest version of ServiceDesk Plus, 9400, to fix the security vulnerability described below.
Description: ServiceDesk Plus contained a vulnerability through which it was possible to upload files using an unauthenticated servlet. This was identified and disclosed by Digital Defense, a provider of security risk assessment solutions. For details, please refer to the public disclosure published on January 30th.
Severity :Very High
Affects: ServiceDesk Plus customers using version 9328 or earlier.
Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November of 2017. Shortly afterwards, our security and development teams touched base with Digital Defense to gather more information. We accord the highest priority to fixing vulnerabilities, and this particular vulnerability was addressed on January 2nd with an update to ServiceDesk Plus (version 9333). Customers using this version and above already have protection from the disclosed vulnerability.
Next Steps: Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (9400). Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplus.com or call us toll-free at +1.888.720.9500.
Important Note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using a MS SQL server as a back-end database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused.
Thanks,
Umashankar
ServiceDesk Plus team.