Multiple vulnerabilities in ManageEngine ServiceDesk Plus MSP and SupportCenter Plus
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2022-40772 CVE-2022-40773 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Zoho ManageEngine ServiceDesk Plus MSP Server applications / Other server solutions Zoho ManageEngine SupportCenter Plus Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU69872
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-40772
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the generateSQLReport function, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus MSP: 8000 - 10608
Zoho ManageEngine SupportCenter Plus: - - 11024
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8001:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8002:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:11000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:11001:*:*:*:*:*:*:*
https://manageengine.com
https://www.manageengine.com/products/service-desk-msp/cve-2022-40772.html
https://www.zerodayinitiative.com/advisories/ZDI-22-1613/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU69880
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-40773
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improper input validation within the exportMickeyList action, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ServiceDesk Plus MSP: 8000 - 10608
Zoho ManageEngine SupportCenter Plus: - - 11024
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8001:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_servicedesk_plus_msp:8002:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:11000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_supportcenter_plus:11001:*:*:*:*:*:*:*
https://www.manageengine.com/products/service-desk-msp/cve-2022-40773.html
https://www.zerodayinitiative.com/advisories/ZDI-22-1490/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
