CVE ID: CVE-2022-35403

Product NameSeverityAffected Version(s)Fixed VersionFixed On
ServiceDesk PlusHigh13007 and below13008July 7, 2022
ServiceDesk Plus MSPHigh10605 and below10606July 11, 2022
SupportCenter PlusHigh11021 and below11022July 11, 2022
AssetExplorerMedium6976 and below6977July 7, 2022

Details

This file disclosure vulnerability allows non-login users to download local files from the ServiceDesk Plus, ServiceDesk Plus MSP and SupportCenter Plus server machines by sending a crafted email for ticket creation. The same vulnerability affects AssetExplorer too which falls under medium severity since it needs authentication to exploit.

We fixed this issue by adding additional checks to process the email content to avoid the local file disclosure vulnerability in ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus and AssetExplorer.

Impact

This vulnerability allows non-login users to download local files from the server machine.

Steps to upgrade

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please follow the forum post for the respective products as mentioned below for any further updates regarding this vulnerability:

ServiceDesk Plus | ServiceDesk Plus MSP | SupportCenter Plus | AssetExplorer

Acknowledgements

This issue was reported by ManageEngine’s internal security team on our bug bounty portal.

If you have any questions or concerns, please contact product support for further details at the below-mentioned email addresses.

ServiceDesk Plus: support@servicedeskplus.com

ServiceDesk Plus MSP support@servicedeskplusmsp.com

SupportCenter Plus: support@supportcenterplus.com

AssetExplorer: assetexplorer-support@manageengine.com

Important note: As always, make a copy of the entire application installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you are using an MS SQL Server as a back-end database, back up the application database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

This article is relevant to:
ManageEngineSecurity AdvisoryService Desk

You may be interested in these other recent articles

ManageEngine ServiceDesk Plus Cloud Build Release Information

3 August 2022

Summary details of the current Build Release information for ManageEngine ServiceDesk Plus Cloud Edition. All upgrades are performed by the Zoho Cloud team. Should you…

Read more

ManageEngine Endpoint Central (formerly Desktop Central) On-Premise Build Release Information

27 July 2022

Summary details of the current Build Release information for ManageEngine Endpoint Central. Note: Desktop Central changing its name to Endpoint Central will not affect the…

Read more

ManageEngine ServiceDesk Plus On-Premise Build Release Information

7 July 2022

Summary details of the current Build Release information for ManageEngine ServiceDesk Plus. To safely upgrade your current instance of ManageEngine ServiceDesk Plus please refer to…

Read more

Get to building your business apps with the new AppCreator

9 June 2022

ManageEngine’s new low-code application development tool Creating an application, building one and deploying it can be expensive and time consuming as you have to make…

Read more

Endpoint Central’s Endpoint Security

31 May 2022

Endpoint Central (formerly Desktop Central) not only got a name change but has also introduced Endpoint Security to help organisations keep their endpoints secured. According…

Read more