Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.
References
| Link | Resource |
|---|---|
| https://www.manageengine.com/products/service-desk/cve-2024-27314.html | Vendor Advisory |
| https://www.manageengine.com/products/service-desk/cve-2024-27314.html | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
17 Jun 2025, 20:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:*:*:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:14.7:14700:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:14.7:14700:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.7:14700:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.7:14720:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:*:*:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:14.7:14710:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:14.7:14710:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus_msp:*:*:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:14.7:14710:*:*:*:*:*:* |
|
| First Time |
Zohocorp manageengine Servicedesk Plus Msp
Zohocorp Zohocorp manageengine Supportcenter Plus Zohocorp manageengine Servicedesk Plus |
|
| References | () https://www.manageengine.com/products/service-desk/cve-2024-27314.html - Vendor Advisory |
Information
Published : 2024-05-27 07:15
Updated : 2025-06-17 20:18
NVD link : CVE-2024-27314
Mitre link : CVE-2024-27314
CVE.ORG link : CVE-2024-27314
JSON object : View
Products Affected
zohocorp
- manageengine_servicedesk_plus_msp
- manageengine_servicedesk_plus
- manageengine_supportcenter_plus
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')