CVE-2023-23078: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Zoho ManageEngine ServiceDesk Plus version 14, identified as CVE-2023-23078. The vulnerability was found in the comment field when changing credentials in the Assets section. The issue was discovered and reported through Zoho's bug bounty program and was fixed in December 2022 (ManageEngine Advisory).

The vulnerability is classified as a stored XSS issue with a CVSS v3.1 base score of 6.1 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The vulnerability allows users to inject malicious JavaScript in the asset details page, which is then executed when other users view the asset page. The issue was addressed by implementing proper data encoding during client rendering to prevent JavaScript execution (ManageEngine Advisory, NVD).

When exploited, the vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers when they view the affected asset page. This could potentially lead to unauthorized access to user data, session hijacking, or other client-side attacks (ManageEngine Advisory).

The vulnerability has been fixed in ServiceDesk Plus version 14103, ServiceDesk Plus MSP version 14000, and AssetExplorer version 6987. Users are advised to upgrade to these or later versions. The fix implements proper encoding of data during client rendering to prevent JavaScript execution (ManageEngine Advisory).