Description
Zohocorp ManageEngine ServiceDesk Plus MSP and SupportCenter Plus versions below 14920 are vulnerable to authenticated Local File Inclusion (LFI) in the Admin module, where help card content is loaded.
CVSS Metrics
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- Attack Vector
- network
- Complexity
- low
- Privileges
- low
- User Action
- none
- Scope
- unchanged
- Confidentiality
- high
- Integrity
- none
- Availability
- none
- Weaknesses
- CWE-434
Metadata
- Primary Vendor
- ZOHOCORP
- Published
- 5/22/2025
- Last Modified
- 6/17/2025
- Source
- NIST NVD
- Note: Verify all details with official vendor sources before applying patches.
Affected Products
zohocorp : manageengine_servicedesk_plus_mspzohocorp : manageengine_servicedesk_plus_mspzohocorp : manageengine_servicedesk_plus_mspzohocorp : manageengine_supportcenter_pluszohocorp : manageengine_supportcenter_pluszohocorp : manageengine_supportcenter_plus
AI-Powered Remediation
Generate remediation guidance or a C-suite brief for this vulnerability.