CVE-2024-27314— Stored XSS Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-27314
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored XSS Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Zoho ManageEngine ServiceDesk Plus versions below 14730, ServiceDesk Plus MSP below 14720 and SupportCenter Plus below 14720 are vulnerable to stored XSS in the Custom Actions menu on the request details. This vulnerability can be exploited only by the SDAdmin role users.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Zoho ManageEngine ServiceDesk Plus 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
ZOHO ManageEngine ServiceDesk Plus(SDP)是美国卓豪(ZOHO)公司的一套基于ITIL架构的IT服务管理软件。该软件集成了事件管理、问题管理、资产管理IT项目管理、采购与合同管理等功能模块。 Zoho ManageEngine ServiceDesk Plus 14730之前版本、ServiceDesk Plus MSP 14720之前版本、 SupportCenter Plus 14720之前版本存在安全漏洞,该漏洞源于容易受到存储型跨站脚本(XSS)攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| ManageEngine | ServiceDesk Plus, ServiceDesk Plus MSP, SupportCenter Plus | 0 ~ 14730 | - |
II. Public POCs for CVE-2024-27314
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-27314
请登录查看更多情报信息。
Same Patch Batch · ManageEngine · 2024-05-27 · 4 CVEs total
| CVE-2024-36037 | 5.5 MEDIUM | Insufficient Access Control Vulnerability |
| CVE-2024-27310 | 5.3 MEDIUM | DOS Vulnerability |
| CVE-2024-36036 | 4.2 MEDIUM | Insufficient Access Control Vulnerability |
IV. Related Vulnerabilities
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2024-27314
No comments yet