XSS bug places admin accounts under threat
IT help desks making use of the ServiceDesk Plus software have been advised to update their systems following the discovery of a cross-site scripting (XSS) vulnerability that, left unchecked, could enable an attacker to take full control of admin accounts.
Developed by ManageEngine of California, ServiceDesk Plus is IT support software that claims more than 100,000 installations around the world. Prominent customers include Vodafone, Dell, and Honda, among others.
After testing the IT support application for flaws, security researchers at SEC-Consult discovered a reflected XSS vulnerability in ‘geti18nkey’ – a module parameter that’s found in administrator accounts.
In order to exploit this vulnerability, an administrator would need to click on a malicious link or visit a site that was under an attacker’s control.
SEC-Consult was quick to note that this exploit would not work on a regular ServiceDesk user account. This reduced the likelihood of a company being compromised via a phishing link included in a standard support ticket.
However, if an attacker were able to escalate a ticket or otherwise compel an administrator to click on a malicious link, this would open the door to all manner of nefarious activity.
“If left unpatched, an attacker could compromise the ticket system with highest access rights and [for example] gain access to all tickets with internal or sensitive information and potentially perform further attacks,” Johannes Greil, principal security consultant at SEC-Consult, told The Daily Swig.
The Austrian security researchers flagged the XSS vulnerability to ManageEngine in December, and the issue was fixed in a ServiceDesk update earlier this month.
“The ZOHO [ManageEngine’s parent company] support team responded very quickly and professionally via their ticket system for both our submitted advisories,” added Greil. “They seem to have proper incident response processes implemented and are handling security issues well and quickly.”
ManageEngine did not immediately respond to The Daily Swig’s request for comment.
YOU MIGHT ALSO LIKE Internet Explorer zero-day surfaces in ‘limited targeted attacks’