A stored XSS vulnerability is fixed in ServiceDesk Plus MSP version 14810. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in Time Sheets is fixed in ServiceDesk Plus MSP version 14504. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in the Release module allowed unprivileged users to access the Reminders of a release ticket and modify it. Please refer to this security advisory to learn more and to upgrade to the latest version.
A XXE vulnerability in the Reports integration has been fixed in ServiceDesk Plus MSP version 14200. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus MSP version 14000. Please refer to this security advisory to learn more and to upgrade to the latest version.
A Denial of Service vulnerability is fixed in ServiceDesk Plus MSP version 14001. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the asset details page has been fixed in ServiceDesk Plus MSP version 14000. Please refer to this security advisory to learn more and to upgrade to the latest version.
A stored XSS vulnerability in the associate Service Requests list view on the Purchase Order details page has been fixed in ServiceDesk Plus MSP version 13002. Please refer to this security advisory to learn more and to upgrade to the latest version.
This security advisory addresses a flaw in the LDAP authentication process for user details imported from the LDAP server. Please visit this link for more information.
An RCE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus MSP version 13000. Please refer to this security advisory to learn more and to upgrade to the latest version.
An XXE vulnerability when integrating with Analytics Plus has been fixed in ServiceDesk Plus MSP version 13001. Please refer to this security advisory to learn more and to upgrade to the latest version.
A privilege escalation vulnerability in query reports has been fixed in ServiceDesk Plus MSP version 10609. Please refer to this security advisory to learn more and to upgrade to the latest version.
A vulnerability that allows unauthorized access to restricted data has been identified and fixed in versions 10609 and above. Please refer to this security advisory for more information and upgrade to the latest version.
An unauthorized access vulnerability that can disclose privileged data has been identified and fixed in versions 10609 and above. Please refer to this security advisory for more information and upgrade to the latest version of ServiceDesk Plus.
An unauthenticated local file disclosure vulnerability that allows non-login users to download files has been fixed in version 10606. Please refer to this security advisory to learn more and upgrade to the latest version.
This security advisory addresses a flaw in handling the request path that made ServiceDesk Plus MSP vulnerable to an unauthenticated arbitrary web-root file disclosure. Please visit this link for more information.
This security advisory addresses an authentication bypass vulnerability that affects ServiceDesk Plus MSP versions up to 10532.
Please note that we are noticing exploits of this authentication bypass vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions up to 10532 to update to the latest version immediately.
This vulnerability can allow an adversary to execute arbitrary code and conduct any subsequent attacks.
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated URL to be accessed without proper authentication.
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions up to 10532.
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is 10532 and below, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (10533) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This security advisory addresses an unauthenticated remote code execution (RCE) vulnerability affecting ServiceDesk Plus MSP versions 10527 till 10529.
This vulnerability was addressed on September 16, 2021 in versions 10530 and above, and an advisory was published as well.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions 10527 till 10529 to update to the latest version immediately.
This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
A security misconfiguration in ServiceDesk Plus MSP led to the vulnerability.
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10527 till 10529.
The vulnerability has been addressed by properly configuring the security configuration and removing the unused URL in versions 10530 and above.
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is from 10527 to 10529, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (10532) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding an insufficient authentication and authorization handling vulnerability (CVE-2021-37414) in ManageEngine Endpoint Central (formerly Desktop Central), reported by an external security researcher via our bug bounty program.
Who is affected?:
This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Endpoint Central (formerly Desktop Central) to leverage the unified agent for asset inventory.
Affected build numbers of Endpoint Central (formerly Desktop Central):
Endpoint Central (formerly Desktop Central) installations with the following build numbers are affected:
10.1.2121.03
10.1.2121.02
10.1.2121.04
10.1.2127.01
Severity: High
What was the problem?
An endpoint was found with insufficient access control in the Endpoint Central (formerly Desktop Central) server, which when exploited could lead to an unauthorized user gaining access to the
This security advisory addresses a flaw in handling the request path that made ServiceDesk Plus MSP vulnerable to an unauthenticated arbitrary web-root file disclosure. Please visit this link for more information.
This security advisory addresses an authentication bypass vulnerability that affects ServiceDesk Plus MSP versions up to 10532.
Please note that we are noticing exploits of this authentication bypass vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions up to 10532 to update to the latest version immediately.
This vulnerability can allow an adversary to execute arbitrary code and conduct any subsequent attacks.
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated URL to be accessed without proper authentication.
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions up to 10532.
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is 10532 and below, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (10533) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This security advisory addresses an unauthenticated remote code execution (RCE) vulnerability affecting ServiceDesk Plus MSP versions 10527 till 10529.
This vulnerability was addressed on September 16, 2021 in versions 10530 and above, and an advisory was published as well.
Please note that we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus MSP (all editions) with versions 10527 till 10529 to update to the latest version immediately.
This vulnerability can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
A security misconfiguration in ServiceDesk Plus MSP led to the vulnerability.
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10527 till 10529.
The vulnerability has been addressed by properly configuring the security configuration and removing the unused URL in versions 10530 and above.
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is from 10527 to 10529, you might be affected.
Please follow this forum post for any further updates regarding this vulnerability.
Customers who fit the above criteria can upgrade to the latest version (10532) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com.
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding an insufficient authentication and authorization handling vulnerability (CVE-2021-37414) in ManageEngine Desktop Central, reported by an external security researcher via our bug bounty program.
Who is affected?:
This vulnerability affects customers of ServiceDesk Plus MSP (Professional and Enterprise editions) who have installed Desktop Central to leverage the unified agent for asset inventory.
Affected build numbers of Desktop Central:
Desktop Central installations with the following build numbers are affected:
10.1.2121.03
10.1.2121.02
10.1.2121.04
10.1.2127.01
Severity: High
What was the problem?
An endpoint was found with insufficient access control in the Desktop Central server, which when exploited could lead to an unauthorized user gaining access to the Desktop Central instance.
How have we fixed the vulnerability?
The vulnerability has been identified and fixed in the latest build of Desktop Central. To apply the fix, follow the steps below:
Note: This vulnerability is not applicable to the cloud editions of Desktop Central, Patch Manager Plus, and Remote Access Plus.
For further details, please contact support at support@servicedeskplusmsp.com.
Important note: As always, make a copy of the entire Desktop Central installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Desktop Central database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding a possible authentication bypass vulnerability in a few application URLs in ServiceDesk Plus MSP, which has been identified and rectified.
Users of ServiceDesk Plus MSP (all editions) with version 10527 and above might be affected by this vulnerability and are advised to update to the latest version (10530) immediately.
Severity: High
Impact:
This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement.
This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.
What led to the vulnerability?
The improper security configuration process used in ServiceDesk Plus MSP led to the vulnerability.
Who is affected?
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10527 and above.
How have we fixed it?
The vulnerability has been addressed by fixing the security configuration process in the latest version of ServiceDesk Plus MSP.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is 10527 or above, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (10530) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding possible Integer/Heap Overflow - Remote Code Execution (RCE) and Remote Denial of Service vulnerabilities in ServiceDesk Plus MSP and Remote AssetExplorer (software used for distributed asset scans), which have been identified and rectified.
Users of ServiceDesk Plus MSP (Professional and Enterprise editions) with versions up to 10525 and using the distributed asset scanning agents from Remote AssetExplorer might be affected by the vulnerabilities and are advised to update to the latest version (10526) immediately.
Severity: High
Impact:
The Integer/Heap Overflow - RCE vulnerability allows an attacker to send a new scan request to a listening agent on the network and also receive the agent's HTTP request verifying its authtoken. The agent reaching out over HTTP makes it vulnerable to an integer overflow, which can be turned into a heap overflow if the POST payload response is too large. This allows for RCE as NT AUTHORITY/SYSTEM on the agent machine.
The Remote Denial of Service vulnerability might be exploited to repetitively send commands to the Remote AssetExplorer agent, which listens on port 9000 for incoming commands over HTTPS from the ManageEngine server. While these commands may not be executed, the Remote AssetExplorer agent reaches out to the ManageEngine server for an HTTP request, which results in a memory leak. These memory leaks allow a remote attacker to send commands to the agent repetitively and eventually crash the agent due to an out-of-memory condition.
What led to the vulnerabilities?
The Integer/Heap Overflow - RCE vulnerability was caused by ServiceDesk Plus MSP's distributed asset scan agent, Remote AssetExplorer, not validating HTTPS certificates, which allows an attacker on the network to statically configure their IP address to match the ServiceDesk Plus MSP server's IP address.
The Remote Denial of Service vulnerability was caused by HTTPS certificates not being verified, which allows any arbitrary user on the network to send commands over port 9000.
Moreover, ServiceDesk Plus MSP (up to version 10525) allowed vulnerable agents to be downloaded from the product UI itself.
Who is affected?
These vulnerabilities affect customers of the Professional and Enterprise editions of ServiceDesk Plus MSP using versions up to 10525 and using the product’s distributed asset scanning agents.
How have we fixed them?
Both vulnerabilities are resolved in ServiceDesk Plus MSP 10526. In ServiceDesk Plus MSP, we have removed the built-in remote agent support, and agent-based scanning can no longer be performed directly from ServiceDesk Plus MSP; instead, all agents must push data through Remote AssetExplorer servers.
Remote AssetExplorer has adopted Desktop Central's unified agent for asset discovery. You can download the compatible Remote AssetExplorer build here. (Note: This Remote AssetExplorer build is compatible only with the latest version, i.e., ServiceDesk Plus MSP 10526 and above.)
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client. Select the About option from the drop-down to see your current version. If your current version (Professional and Enterprise editions) is 10525 or below and you are using the asset scanning agent in ServiceDesk Plus MSP, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (10526) using the appropriate migration path here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory for ServiceDesk Plus MSP customers using versions 9302 or earlier. We recommend that you upgrade to the latest version of ServiceDesk Plus MSP, 9305, to fix the security vulnerability described below.
Description: ServiceDesk Plus MSP contained a vulnerability through which it was possible to upload files using an unauthenticated servlet. This was identified and disclosed by Digital Defense, a provider of security risk assessment solutions. For details, please refer to the public disclosure published on January 30th.
Severity: Very High
Affects: ServiceDesk Plus MSP customers using version 9302 or earlier.
Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November of 2017. Shortly afterwards, our security and development teams touched base with Digital Defense to gather more information. We accord the highest priority to fixing vulnerabilities, and this particular vulnerability was addressed on January 11th with an update to ServiceDesk Plus MSP (version 9305).
Next Steps: Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (9305). Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or or call us toll-free at +1.888.720.9500.
Important Note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using a MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before applying the upgrade. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused.
Thanks,
Umasankar
ServiceDesk Plus MSP team.
How have we fixed the vulnerability?
The vulnerability has been identified and fixed in the latest build of Endpoint Central (formerly Desktop Central). To apply the fix, follow the steps below:
Note: This vulnerability is not applicable to the cloud editions of Endpoint Central (formerly Desktop Central), Patch Manager Plus, and Remote Access Plus.
For further details, please contact support at support@servicedeskplusmsp.com.
Important note: As always, make a copy of the entire Endpoint Central (formerly Desktop Central) installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the Endpoint Central (formerly Desktop Central) database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding a possible authentication bypass vulnerability in a few application URLs in ServiceDesk Plus MSP, which has been identified and rectified.
Users of ServiceDesk Plus MSP (all editions) with version 10527 and above might be affected by this vulnerability and are advised to update to the latest version (10530) immediately.
Severity: High
Impact:
This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement.
This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks.
What led to the vulnerability?
The improper security configuration process used in ServiceDesk Plus MSP led to the vulnerability.
Who is affected?
This vulnerability affects ServiceDesk Plus MSP customers of all editions using versions 10527 and above.
How have we fixed it?
The vulnerability has been addressed by fixing the security configuration process in the latest version of ServiceDesk Plus MSP.
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client, and select About from the drop-down to see your current version. If your current version is 10527 or above, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (10530) using the appropriate migration path.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory regarding possible Integer/Heap Overflow - Remote Code Execution (RCE) and Remote Denial of Service vulnerabilities in ServiceDesk Plus MSP and Remote AssetExplorer (software used for distributed asset scans), which have been identified and rectified.
Users of ServiceDesk Plus MSP (Professional and Enterprise editions) with versions up to 10525 and using the distributed asset scanning agents from Remote AssetExplorer might be affected by the vulnerabilities and are advised to update to the latest version (10526) immediately.
Severity: High
Impact:
The Integer/Heap Overflow - RCE vulnerability allows an attacker to send a new scan request to a listening agent on the network and also receive the agent's HTTP request verifying its authtoken. The agent reaching out over HTTP makes it vulnerable to an integer overflow, which can be turned into a heap overflow if the POST payload response is too large. This allows for RCE as NT AUTHORITY/SYSTEM on the agent machine.
The Remote Denial of Service vulnerability might be exploited to repetitively send commands to the Remote AssetExplorer agent, which listens on port 9000 for incoming commands over HTTPS from the ManageEngine server. While these commands may not be executed, the Remote AssetExplorer agent reaches out to the ManageEngine server for an HTTP request, which results in a memory leak. These memory leaks allow a remote attacker to send commands to the agent repetitively and eventually crash the agent due to an out-of-memory condition.
What led to the vulnerabilities?
The Integer/Heap Overflow - RCE vulnerability was caused by ServiceDesk Plus MSP's distributed asset scan agent, Remote AssetExplorer, not validating HTTPS certificates, which allows an attacker on the network to statically configure their IP address to match the ServiceDesk Plus MSP server's IP address.
The Remote Denial of Service vulnerability was caused by HTTPS certificates not being verified, which allows any arbitrary user on the network to send commands over port 9000.
Moreover, ServiceDesk Plus MSP (up to version 10525) allowed vulnerable agents to be downloaded from the product UI itself.
Who is affected?
These vulnerabilities affect customers of the Professional and Enterprise editions of ServiceDesk Plus MSP using versions up to 10525 and using the product’s distributed asset scanning agents.
How have we fixed them?
Both vulnerabilities are resolved in ServiceDesk Plus MSP 10526. In ServiceDesk Plus MSP, we have removed the built-in remote agent support, and agent-based scanning can no longer be performed directly from ServiceDesk Plus MSP; instead, all agents must push data through Remote AssetExplorer servers.
Remote AssetExplorer has adopted Endpoint Central (formerly Desktop Central)'s unified agent for asset discovery. You can download the compatible Remote AssetExplorer build here. (Note: This Remote AssetExplorer build is compatible only with the latest version, i.e., ServiceDesk Plus MSP 10526 and above.)
How to find out if you are affected
Click the Help link in the top-right corner of the ServiceDesk Plus MSP web client. Select the About option from the drop-down to see your current version. If your current version (Professional and Enterprise editions) is 10525 or below and you are using the asset scanning agent in ServiceDesk Plus MSP, you might be affected.
What customers should do
Customers who fit the above criteria can upgrade to the latest version (10526) using the appropriate migration path here.
Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or call us toll-free at +1.888.720.9500.
Important note:
As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade, and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using an MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused. If you have any questions or concerns, please reach out to us at support@servicedeskplusmsp.com
Thanks,
Umasankar
ServiceDesk Plus MSP team.
This is a security advisory for ServiceDesk Plus MSP customers using versions 9302 or earlier. We recommend that you upgrade to the latest version of ServiceDesk Plus MSP, 9305, to fix the security vulnerability described below.
Description: ServiceDesk Plus MSP contained a vulnerability through which it was possible to upload files using an unauthenticated servlet. This was identified and disclosed by Digital Defense, a provider of security risk assessment solutions. For details, please refer to the public disclosure published on January 30th.
Severity: Very High
Affects: ServiceDesk Plus MSP customers using version 9302 or earlier.
Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November of 2017. Shortly afterwards, our security and development teams touched base with Digital Defense to gather more information. We accord the highest priority to fixing vulnerabilities, and this particular vulnerability was addressed on January 11th with an update to ServiceDesk Plus MSP (version 9305).
Next Steps: Download the upgrade pack from https://www.manageengine.com/products/service-desk/service-packs.html and immediately upgrade to the latest version (9305). Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to support@servicedeskplusmsp.com or or call us toll-free at +1.888.720.9500.
Important Note: As always, make a copy of the entire ServiceDesk Plus MSP installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using a MS SQL server as a back-end database, back up the ServiceDesk Plus MSP database before applying the upgrade. Once the upgrade is successfully completed, remember to delete the backup.
We offer our sincerest apologies for any inconvenience this may have caused.
Thanks,
Umasankar
ServiceDesk Plus MSP team.