CVE-2024-27314

Published: May 27, 2024Modified: Jun 17, 2025

2.4

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Exploitability: 0.9 / Impact: 1.4

Source: 0fc0942c-577d-436f-ae8e-945763c79b02 (Secondary)

Description

Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.

Affected (10)

Products: Zohocorp: Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp, Manageengine Supportcenter Plus

Zohocorp

3 products

Manageengine Servicedesk Plus

Manageengine Servicedesk Plus Msp

Manageengine Supportcenter Plus

Configuration A

10 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Servicedesk Plus	Up to 14.6
Zohocorp Manageengine Servicedesk Plus	Version 14.7 14700
Zohocorp Manageengine Servicedesk Plus	Version 14.7 14710
Zohocorp Manageengine Servicedesk Plus	Version 14.7 14720
Zohocorp Manageengine Servicedesk Plus Msp	Up to 14.6
Zohocorp Manageengine Servicedesk Plus Msp	Version 14.7 14700
Zohocorp Manageengine Servicedesk Plus Msp	Version 14.7 14710
Zohocorp Manageengine Supportcenter Plus	Up to 14.6
Zohocorp Manageengine Supportcenter Plus	Version 14.7 14700
Zohocorp Manageengine Supportcenter Plus	Version 14.7 14710

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://www.manageengine.com/products/service-desk/cve-2024-27314.html

Source: 0fc0942c-577d-436f-ae8e-945763c79b02

Vendor Advisory

https://www.manageengine.com/products/service-desk/cve-2024-27314.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.