CVE-2022-25373: 
Zoho ManageEngine SupportCenter Plus vulnerability analysis and mitigation

Zoho ManageEngine SupportCenter Plus before version 11020 contains a stored Cross-Site Scripting (XSS) vulnerability in the request history feature. The vulnerability was discovered in February 2022 and fixed in version 11020 released on March 22, 2022. This vulnerability affects all versions of SupportCenter Plus up to and including version 11019 (ManageEngine Advisory).

The vulnerability allows any low-privileged user to inject arbitrary JavaScript into the request by editing the ticket description. The injected JavaScript gets executed automatically in the browser when other users, including those with higher privileges, view the request history. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

This vulnerability enables attackers to inject malicious code into the application that executes in other users' browsers. When exploited, it could lead to privilege escalation as the injected code runs in the context of the victim's browser session, potentially compromising higher-privileged users' accounts (ManageEngine Advisory).

Users must upgrade to SupportCenter Plus version 11020 or later to address this vulnerability. The fixed version was released on March 22, 2022. No alternative workarounds are available, making the upgrade the only recommended solution (ManageEngine Advisory).