Zoho ManageEngine ServiceDesk Plus XSS in Custom Actions (CVE-2024-27314)
CVE-2024-27314 Published on May 27, 2024

Stored XSS Vulnerability
Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.

NVD

Vulnerability Analysis

CVE-2024-27314 is exploitable with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is a XSS Vulnerability?

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CVE-2024-27314 has been classified to as a XSS vulnerability or weakness.


Products Associated with CVE-2024-27314

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-27314 are published in these products:

Zoho Corp Manageengine Servicedesk Plus
 
Zoho Corp Manageengine Servicedesk Plus Msp
 
Zoho Corp Manageengine Supportcenter Plus
 

Affected Versions

ManageEngine ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus: manageengine servicedesk_plus: manageengine supportcenter_plus: manageengine servicedeskplusmsp:

Exploit Probability

EPSS
3.38%
Percentile
87.15%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.