A stored XSS vulnerability in the Products list view page has been fixed in SupportcenterPlus version 14200. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in the Release module allowed unprivileged users to access the Reminders of a release ticket and modify it. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in SupportCenter Plus 14000. Please refer to this security advisory to learn more and to upgrade to the latest version.
A Denial of Service vulnerability is fixed in SupportCenter Plus version 14001. Please refer to this security advisory to learn more and to upgrade to the latest version.
An OS command injection vulnerability in custom actions has been fixed in SupportCenter Plus version 14000. Please refer to this security advisory to learn more and to upgrade to the latest version.
An RCE vulnerability when integrating with Analytics Plus has been fixed in SupportCenter Plus version 11026. Please refer to this security advisory to learn more and to upgrade to the latest version.
An XXE vulnerability when integrating with Analytics Plus has been fixed in SupportCenter Plus MSP version 11026. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in SupportCenter Plus version 11025. Please refer to this security advisory to learn more and to upgrade to the latest version.
An information disclosure vulnerability allowing unauthorized users to access portal owners’ details using the V3 API has been fixed in SupportCenter Plus version 11025 (versions 11000 to 11024 remain affected). Please visit this link for more information.
A vulnerability that allows unauthorized access to restricted data has been identified and fixed in version 11025. Please refer to this security advisory for more information and upgrade to the latest version.
An unauthorized access vulnerability that can disclose privileged data has been identified and fixed in version 11025. Please refer to this security advisory for more information and upgrade to the latest version of SupportCenter Plus.
An authentication vulnerability in the V3 APIs allowing unauthenticated users to perform operations using the V3 APIs has been fixed in SupportCenter Plus version 11023 (versions 11022, 11021, and 11020 remain affected). Please visit this link for more information.
An unauthenticated local file disclosure vulnerability that allows non-login users to download files has been fixed in version 11022. Please refer to this security advisory to learn more and upgrade to the latest version.
A stored XSS vulnerability in the request history that allowed users to inject malicious code into the application has been fixed in 11020. Please visit this link for more information.
This security advisory addresses an authentication bypass vulnerability that affects SupportCenter Plus versions up to 11017.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using SupportCenter Plus (all editions) with versions up to 11017 to update to the latest version immediately.
This vulnerability allows an adversary to gain unauthorized access to the application's data through a few application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the module with a proper character set replacement.
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.
This vulnerability affects SupportCenter Plus customers of all editions using versions up to 11017.
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
Click the Help link in the top-right corner of the SupportCenter Plus web client, and select About from the drop-down to see your current version. If your current version is 11017, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (11018) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@supportcenterplus.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire SupportCenter Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the SupportCenter Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@supportcenterplus.com.
Best regards,
Umashankar
ManageEngine SupportCenter Plus
This security advisory addresses an unauthenticated remote code execution (RCE) vulnerability affecting SupportCenter Plus versions 11012 and 11013.
This vulnerability was addressed on September 16, 2021 in versions 11014 and above, and an advisory was published as well.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using SupportCenter Plus (all editions) with versions 11012 and 11013 to update to the latest version immediately.
This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
A security misconfiguration in SupportCenter Plus led to the vulnerability.
This vulnerability affects SupportCenter Plus customers of all editions using versions 11012 and 11013.
The vulnerability has been addressed by properly configuring the security configuration and removing the unused URL in versions 11014 and above.
Click the Help link in the top-right corner of the SupportCenter Plus web client, and select About from the drop-down to see your current version. If your current version is 11012 or 11013, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (11016) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@supportcenterplus.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire SupportCenter Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the SupportCenter Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@supportcenterplus.com.
Best regards,
Umashankar
ManageEngine SupportCenter Plus
This is a security advisory regarding a possible authentication bypass vulnerability in a few application URLs in SupportCenter Plus, which has been identified and rectified. Users of SupportCenter Plus (all editions) with version 11012 and above might be affected by this vulnerability and are advised update to the latest version (11014) immediately.
Severity: High
Impact:
This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path with a proper character set replacement.
This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.
What led to the vulnerability?
The improper security configuration process used in SupportCenter Plus led to the vulnerability.
Who is affected?
This vulnerability affects SupportCenter Plus customers of all editions using versions 11012 and above.
How have we fixed it?
The vulnerability has been addressed by fixing the security configuration process in the latest version of SupportCenter Plus.
How to find out if you are affected
Click the Help link in the top-right corner of the SupportCenter Plus web client, and select About from the drop-down to see your current version. If your current version is 11012 or above, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (11014) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@supportcenterplus.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire SupportCenter Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the SupportCenter Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@supportcenterplus.com.
Best regards,
Umashankar
ManageEngine SupportCenter Plus
This is a security advisory regarding a possible authentication bypass vulnerability in a few REST API URLs in SupportCenter Plus, which has been identified and rectified. Users of SupportCenter Plus (all editions) with version 11000 and above might be affected by this vulnerability and are advised to update to the latest version (11013) immediately.
Severity: Critical
Impact:
This vulnerability allows an attacker to gain unauthorized access to the application's data through its API support. This would allow the attacker to gain unauthorized access to user data or aid subsequent attacks.
To do so, an attacker has to manipulate any vulnerable API URL path from the requests module with a proper character set replacement. This URL can bypass the authentication process and fetch the required data for the attacker.
What led to the vulnerability?
The security framework layer used in SupportCenter Plus had an improper URL validation process that led to the vulnerability.
Who is affected?
This vulnerability affects SupportCenter Plus customers of all editions using versions 11000 and above.
How have we fixed it?
The vulnerability has been addressed in SupportCenter Plus 11013 by fixing the improper URL validation process in the security framework layer.
How to find out if you are affected
Click the Help link in the top-right corner of the SupportCenter Plus web client. Select the About option from the drop-down to see your current version. If your current version is 11000 or above, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (11013) using the appropriate migration path here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@supportcenterplus.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire SupportCenter Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the SupportCenter Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@supportcenterplus.com.
Best regards,
Umashankar
ManageEngine SupportCenter Plus