QID 377857

Date Published: 2023-01-03

QID 377857: Zoho ManageEngine ServiceDesk Plus, SupportCenter Plus and AssetExplorer Privilege Escalation Vulnerability

This vulnerability allows an adversary to access restricted data in the Postgres database setup by using a specific PostgreSQL function in the query, which enables bypassing the validation mechanism.

Affected Versions:
ServiceDesk Plus build 14000 and below
SupportCenter Plus build 11024 and below
AssetExplorer build 6980 and below

QID Detection Logic (Authenticated):
This QID checks for vulnerable version by reading the product.conf file

Successful exploitation of the vulnerability mau allow users who have access to query reports to access restricted data.

CVSS V3 rated as High - 6.5 severity.

CVSS V2 rated as Medium - 5 severity.

Solution

Zoho has released patches addressing the vulnerability. For more information please refer to Zoho ManageEngine Security Advisory

Vendor References

ManageEngine Security Advisory - www.manageengine.com/products/service-desk/CVE-2022-40772.html

CVEs related to QID 377857

CVE-2022-40772 |

Software Advisories

Advisory ID	Software	Component	Link
ManageEngine Security Advisory			www.manageengine.com/products/service-desk/CVE-2022-40772.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].