CVE ID : CVE-2024-50053
| Product Name | Severity | Affected Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|---|
| ServiceDesk Plus | Medium | 14910 and below | 14920 | Dec 09, 2024 |
| ServiceDesk Plus MSP | Medium | 14900 and below | 14910 | Feb 25, 2025 |
| SupportCentre Plus | Medium | 14900 and below | 14910 | Feb 25, 2025 |
Details
A stored cross-site scripting (XSS) vulnerability allowed authenticated technicians to upload a malicious HTML file during task creation. The payload would be executed when other technicians or administrators (or SDAdmins) interact with the file.
Impact
Threat actors who have add/edit access to tasks could exploit this vulnerability to run custom scripts and carry out further malicious attacks.
How was it resolved?
We resolved this issue by encoding data during client-side rendering to prevent the script from being executed.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Dinh Vu through our bug bounty portal.
If you have any questions or concerns, please contact our product support at the below-mentioned email address.
ServiceDesk Plus: support@servicedeskplus.com
ServiceDesk Plus MSP: support@servicedeskplusmsp.com
SupportCenter Plus: support@supportcenterplus.com