Detections
Analytics

ManageEngine ServiceDesk Plus < 14.7 Build 14730

low Nessus Plugin ID 197903

Synopsis

The remote web server hosts an application that is affected by a vulnerability.

Description

The version of ManageEngine ServiceDesk Plus installed on the remote host is prior to 14.7 Build 14730. It is, therefore, affected by a vulnerability as referenced in the service-desk_cve-2024-27314 advisory.

 - A stored cross-site scripting (XSS) vulnerability allowed users with the SDAdmin role to inject a malicious JavaScript in the Custom Actions menu on the request details page. The script is executed when a user opens a request, accesses the custom menu, and clicks on the button with the Execute script action type. (CVE-2024-27314)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ManageEngine ServiceDesk Plus version 14.7 Build 14730 or later.

See Also

https://manageengine.com/products/service-desk/cve-2024-27314.html

Plugin Details

Severity: Low

ID: 197903

File Name: manageengine-servicedesk-plus-cve-2024-27314.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 5/24/2024

Updated: 5/31/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2024-27314

CVSS v3

Risk Factor: Low

Base Score: 2.4

Temporal Score: 2.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_servicedesk_plus

Required KB Items: installed_sw/manageengine_servicedesk

Exploit Ease: No known exploits are available

Patch Publication Date: 5/2/2024

Vulnerability Publication Date: 5/22/2024

Reference Information

CVE: CVE-2024-27314

IAVA: 2024-A-0312