CVE-2024-41150: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

CVE-2024-41150 is a Stored Cross-site Scripting (XSS) vulnerability affecting Zohocorp ManageEngine's ITSM products including ServiceDesk Plus (versions through 14810), ServiceDesk Plus MSP (versions through 14800), and SupportCenter Plus (versions through 14800). The vulnerability was discovered in the request module and was publicly disclosed on July 19, 2024 (Vendor Advisory).

The vulnerability is classified as a stored XSS issue that allows users to inject malicious JavaScript while creating a new request, which gets executed when users open the request details page. The CVSS v3.1 base score is 6.1 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N according to NIST's assessment (NVD).

When exploited, this vulnerability allows threat actors with access to the request module to execute malicious JavaScript code in users' browsers when they view the request details page, potentially leading to additional attacks (Vendor Advisory).

ManageEngine has released fixes for all affected products: ServiceDesk Plus version 14820 (released July 19, 2024), ServiceDesk Plus MSP version 14810 (released August 20, 2024), and SupportCenter Plus version 14810 (released August 20, 2024). The fix involves encoding data during client-side rendering to prevent JavaScript execution (Vendor Advisory).