CVE-2024-27314: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720, and SupportCenter Plus below 14720 are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability in the Custom Actions menu on the request details page. The vulnerability was discovered and fixed in May 2024, affecting multiple versions of the ManageEngine service management suite (ManageEngine Advisory).

The vulnerability is classified as a stored XSS issue with a CVSS v3.1 Base Score of 2.4 (LOW) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N. The vulnerability specifically affects the Custom Actions menu on the request details page, where users with SDAdmin role privileges could inject malicious JavaScript code. The script would be executed when a user opens a request, accesses the custom menu, and clicks on a button with the Execute script action type (ManageEngine Advisory).

The vulnerability can only be exploited by users with SDAdmin role privileges, limiting its potential impact. When successfully exploited, it allows the injection of malicious JavaScript code that executes when other users interact with specific elements in the request details page (ManageEngine Advisory).

The vulnerability has been fixed by ManageEngine through encoding data during client rendering to prevent JavaScript execution. Users are advised to upgrade to ServiceDesk Plus version 14730, ServiceDesk Plus MSP version 14720, or SupportCenter Plus version 14720. The fix was released on May 2, 2024, for ServiceDesk Plus and May 22, 2024, for ServiceDesk Plus MSP and SupportCenter Plus (ManageEngine Advisory).