XSS & path traversal vulnerabilities in Zoho ManageEngine ServiceDesk Plus. Secure your accounts

Specialists from a hacking course have published the finding of multiple vulnerabilities in Zoho ManageEngine ServiceDesk Plus. Exploiting these flaws would allow the deployment of cross-site scripting (XSS) attacks, among other risk scenarios for administrators of compromised deployments.

Below are brief descriptions of reported flaws, in addition to their respective Common Vulnerability Scoring System (CVSS) identification keys and scores. It should be noted that only one of the three vulnerabilities described below has already received its CVSS key.

CVE-2020-13154: The first reported vulnerability allows remote threat actors to gain access to potentially sensitive information on the target system. The flaw exists due to excessive data output by the application. An authenticated remote malicious hacker might discover the File Protection password.

While this vulnerability can be exploited by an authenticated user remote over the Internet, functional exploits have not been registered to exploit the flaw. CVE-2020-13154 received a score of 5.7/10 on the CVSS scale, so it is considered a moderate gravity flaw, the hacking course experts mentioned.

The second reported vulnerability allows remote hackers to deploy cross-site scripting (XSS) attacks. This flaw exists due to incorrect disinfection of user-provided data in asset contracts. A remote threat actor could inject and execute arbitrary HTML code, as well as scripts in the victim’s browser in the context of a vulnerable website.

According to the hacking course experts, successful exploitation of the flaw would allow hackers to extract sensitive information, modify the appearance of the vulnerable website, as well as perform phishing attacks.

Although it can be exploited remotely, an exploit has not yet been reported for the attack. The flaw received a score of 6.3/10 on the CVSS scale (no identification key has yet been assigned), although it is considered low severity due to its complex exploitation process.

The third discovered flaw allows remote hackers to deploy directory-scale attacks. This vulnerability exists due to an input validation error when processing directory traversal sequences. Threat actors might send HTTP requests specially designed to read files on the target system arbitrarily. 

Like previous cases, this flaw can be exploited remotely, although no related exploit has been detected. The vulnerability received a score of 6.5/10, although it has not yet been assigned CVSS key.

Although the risk of exploitation is low, the International Institute of Cyber Security (IICS) recommends installing updates released by developers as soon as possible.