CVE-2023-26600: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

CVE-2023-26600 is a privilege escalation vulnerability affecting multiple ManageEngine products including ServiceDesk Plus (through 14104), ServiceDesk Plus MSP (through 14000), Support Center Plus (through 14000), and Asset Explorer (through 6987). The vulnerability was discovered by Piotr Bazydlo of Trend Micro's Zero Day Initiative and was disclosed in early 2023 (ManageEngine Advisory, ZDI Advisory).

The vulnerability exists within the generateSQLReport function and stems from improper validation of user-supplied data when utilizing certain PostgreSQL functions in query reports. The vulnerability has a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity. The issue allows the validation process to be bypassed, potentially leading to unauthorized access to restricted data in the Postgres database system (ZDI Advisory, ManageEngine Advisory).

Users with access to query reports can gain unauthorized access to restricted data in the database system. This vulnerability allows attackers to escalate privileges to resources that would normally be protected from the user (ManageEngine Advisory, ZDI Advisory).

ManageEngine has released fixed versions for all affected products: ServiceDesk Plus (version 14104), ServiceDesk Plus MSP (version 14000), SupportCenter Plus (version 14000), and AssetExplorer (version 6988). Users are advised to upgrade to these versions to address the vulnerability (ManageEngine Advisory).