This is a security advisory for CVE-2022-35403 regarding the unauthenticated local file disclosure vulnerability in inline image handling in ServiceDesk Plus, which has been identified and rectified. This affects on-premises users of ServiceDesk Plus (all editions) running version 13007 and below.
This issue was reported by our internal security team on our bug bounty portal.
This vulnerability allows adversaries to download local files from the server on which ServiceDesk Plus is installed by sending an email to the email address configured in the application with a crafted image URL pointing to the specific file. If the file is present in that location, it gets added as an attachment in the ticket conversation when a technician responds to or when a notification is triggered for the ticket.
What led to the vulnerability?
The image's URL was not being processed properly when a technician responded to it or when a notification was triggered for the ticket.
Who is affected?
This vulnerability affects on-premises ServiceDesk Plus customers of all editions using versions 13007 and below.
How have we fixed it?
We have added additional checks to process the inline image to avoid the local file disclosure vulnerability.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version of ServiceDesk Plus (all editions) is 13007 or below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
What you can do
ServiceDesk Plus customers who fit the above criteria can upgrade to the latest version (13008) using the appropriate migration path.
Alternatively, based on their current version, customers can also upgrade to the appropriate versions mentioned below:
Version or service pack with the fix
11200 to 11313
Important note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you will have this copy as a backup, which will keep all your settings intact. If you are using an Microsoft SQL Server as a backend database, back up the ServiceDesk Plus database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at email@example.com.
ManageEngine ServiceDesk Plus