Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before 14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS).

The version of ManageEngine ServiceDesk Plus MSP installed on the remote host is prior to 14.0 Build 14001. It is, therefore, affected by a vulnerability as referenced in the service-desk-msp_CVE-2023-26601 advisory.

  - Zoho ManageEngine ServiceDesk Plus through 14104, Asset Explorer through 6987, ServiceDesk Plus MSP before     14000, and Support Center Plus before 14000 allow Denial-of-Service (DoS). (CVE-2023-26601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of ManageEngine SupportCenter Plus prior to 14.0 Build 14001 is running on the remote web server. It is, therefore, affected by a denial of service vulnerability:

- A Denial of Service vulnerability in image upload. This vulnerability allows an attacker to exploit the way an API method allocates memory by sending a small image file with a large size defined in the header, causing the application to crash or become unresponsive. (CVE-2023-26601)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ManageEngine AssetExplorer prior to 6.9 Build 6988 is running on the remote web server. It is, therefore, affected by multiple vulnerabilities, including the following:

  - A privilege escalation vulnerability in query reports. This vulnerability allows an     attacker to gain access to restricted data in a Postgres database system by utilizing     a certain PostgreSQL function in the query, allowing the validation process to be     bypassed. (CVE-2023-26600)

  - A Denial of Service vulnerability in image upload. This vulnerability allows an     attacker to exploit the way an API method allocates memory by sending a small image     file with a large size defined in the header, causing the application to crash or     become unresponsive. (CVE-2023-26601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The version of ManageEngine ServiceDesk Plus running on the remote host is prior to 14.0 Build 14104. It is, therefore, affected by multiple vulnerabilities, including the following:

  - A Denial of Service vulnerability in image upload allows an attacker to exploit the way an API method allocates     memory by sending a small image file with a large size defined in the header, causing the application to crash     or become unresponsive. (CVE-2023-26601)

  - Privilege escalation vulnerability in query reports allows an attacker to gain access to restricted data in a     Postgres database system by utilizing a certain PostgreSQL function in the query, allowing the validation     process to be bypassed. (CVE-2023-26600)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
185752	ManageEngine ServiceDesk Plus MSP < 14.0 Build 14001	Nessus	CGI abuses	high
172641	ManageEngine SupportCenter Plus < 14.0 Build 14001 DoS	Nessus	CGI abuses	high
172640	ManageEngine AssetExplorer < 6.9 Build 6988 Multiple Vulnerabilities	Nessus	CGI abuses	medium
172578	ManageEngine ServiceDesk Plus < 14.0 Build 14104 Multiple Vulnerabilities	Nessus	CGI abuses	medium

Detections

Analytics

CVE-2023-26601

high

Tenable Plugins

high

high

medium

medium