The version of ManageEngine ServiceDesk Plus running on the remote host is prior to 14.0 Build 14104. It is, therefore, affected by multiple vulnerabilities, including the following:

– A Denial of Service vulnerability in image upload allows an attacker to exploit the way an API method allocates memory by sending a small image file with a large size defined in the header, causing the application to crash or become unresponsive. (CVE-2023-26601)

– Privilege escalation vulnerability in query reports allows an attacker to gain access to restricted data in a Postgres database system by utilizing a certain PostgreSQL function in the query, allowing the validation process to be bypassed. (CVE-2023-26600)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.Read More