CVE-2023-23077: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was identified in Zoho ManageEngine ServiceDesk Plus version 13 and below. The vulnerability, tracked as CVE-2023-23077, was discovered in the comment field when adding a new status comment. The issue was officially disclosed on February 1, 2023, and affects the Release Details page of the application (ManageEngine Advisory).

The vulnerability is classified as a stored XSS issue that allows users to inject malicious JavaScript code in the Add Release page, which subsequently gets executed when a user views the Release Details page. The CVSS v3.1 base score is 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (NVD).

When exploited, this vulnerability could allow threat actors to perform further attacks through the execution of malicious JavaScript code in users' browsers. The vulnerability affects data confidentiality and integrity with low impact, while having no effect on system availability (ManageEngine Advisory).

The vulnerability has been fixed in ServiceDesk Plus version 14003, released on October 22, 2022. The fix involves encoding data during client rendering to prevent JavaScript execution. Users are advised to upgrade to the latest version by downloading and applying the upgrade pack according to the provided instructions (ManageEngine Advisory).