CVE-2023-23073: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was identified in Zoho ManageEngine ServiceDesk Plus version 14 and below, specifically affecting the associate Service Requests list view on the Purchase Order details page. The vulnerability was discovered and fixed in December 2022, with patches released in versions 14103 for ServiceDesk Plus and version 13002 for ServiceDesk Plus MSP (ManageEngine Advisory).

The vulnerability allowed low-privileged users to inject malicious JavaScript when associating a service request from the purchase order details page. The injected JavaScript would execute when target users viewed the Associate Service Requests list view in the Purchase Order details page. The issue was resolved by implementing data encoding during client rendering to prevent JavaScript execution (ManageEngine Advisory). The vulnerability has been assigned a CVSS v3 base score of 6.1 (Medium), requiring network access with no privileges but user interaction (AttackerKB).

The vulnerability could be exploited by threat actors to perform further attacks when users view the affected page. As a stored XSS vulnerability, it could potentially lead to session hijacking, credential theft, or other client-side attacks against users who access the Purchase Order details page (ManageEngine Advisory).

ManageEngine has released fixed versions to address this vulnerability: ServiceDesk Plus users should upgrade to version 14103 or later, while ServiceDesk Plus MSP users should upgrade to version 13002 or later. The upgrade can be performed by downloading and applying the latest upgrade pack from the official ManageEngine website (ManageEngine Advisory).