Primary

Context

ManageEngine ServiceDesk Plus Stored Cross-Site Scripting Vulnerability

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in ManageEngine ServiceDesk Plus versions prior to 14920, as well as in ServiceDesk Plus MSP and SupportCentre Plus versions prior to 14910. This vulnerability allows authenticated technicians to upload malicious HTML files during task creation. The injected scripts are executed when other technicians, administrators, or SDAdmins interact with the file.

Impact

Exploitation of this vulnerability allows for the execution of custom scripts, potentially leading to further malicious actions within the application.

Remediation

Users can upgrade to version 14920 for ServiceDesk Plus, or to version 14910 for ServiceDesk Plus MSP and SupportCentre Plus. Instructions for downloading the latest service pack are available on the ManageEngine website.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.2

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ManageEngine ServiceDesk Plus Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ManageEngine ServiceDesk Plus

ManageEngine ServiceDesk Plus MSP

ManageEngine SupportCentre Plus

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating