CVE-2024-50053: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability (CVE-2024-50053) affects Zohocorp ManageEngine ServiceDesk Plus versions below 14920, ServiceDesk Plus MSP and SupportCentre Plus versions below 14910. The vulnerability was discovered in the task feature's attachments section of the Add Task form and was disclosed on March 21, 2025. The vulnerability received a CVSS v3.1 base score of 5.4 (Medium) from NVD and 6.3 (Medium) from ManageEngine (NVD, Vendor Advisory).

The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The issue allows authenticated technicians to upload a malicious HTML file during task creation. The payload would be executed when other technicians, administrators, or SDAdmins interact with the file. The vulnerability stems from improper encoding of data during client-side rendering (Vendor Advisory).

When exploited, threat actors with add/edit access to tasks can execute custom scripts and perform further malicious attacks. The vulnerability affects the confidentiality and integrity of the system, as indicated by the CVSS metrics showing low impact on both aspects (Vendor Advisory).

ManageEngine has resolved this issue by implementing proper encoding of data during client-side rendering to prevent script execution. Fixed versions were released on December 09, 2024 (ServiceDesk Plus 14920) and February 25, 2025 (ServiceDesk Plus MSP and SupportCentre Plus 14910). Users are advised to upgrade to the latest service pack available for their respective products (Vendor Advisory).