CVE-2023-23074: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Zoho ManageEngine ServiceDesk Plus version 14103 and below. The vulnerability, identified as CVE-2023-23074, allowed users with Admin role privileges to inject malicious JavaScript under the Advanced Portal configurations, specifically in the product tour feature (ManageEngine Advisory).

The vulnerability stems from insufficient validation of data in embed video links when they are added to the Product Tour page. The script gets executed when a user views the product tour or the product tour preview. The issue was resolved by implementing data encoding during client rendering to prevent JavaScript execution (Fortiguard).

Successful exploitation of this vulnerability could result in arbitrary script execution under the security context of the target user's browser, potentially leading to system compromise where remote attackers can gain control of vulnerable systems (Fortiguard).

The vulnerability was fixed in ServiceDesk Plus version 14104, released on January 24, 2023. Users are advised to upgrade to this version or later by downloading and applying the latest ServiceDesk Plus upgrade pack according to the provided instructions (ManageEngine Advisory).

The vulnerability was initially reported by HMs through Zoho's bug bounty portal, demonstrating the effectiveness of their security research program (ManageEngine Advisory).