CVE-2023-49943

MEDIUM

ManageEngine ServiceDesk Plus MSP < 14504 - Stored Cross-Site Scripting via Task Name in Timesheet

Title source: llm

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

Core 2

Core References

Product

Vendor Advisory

CVSS v3 5.4

EPSS 0.0084

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

CWE

CWE-79

Status published

Products (2)

zohocorp/manageengine_servicedesk_plus_msp 14.5 14500 (4 CPE variants)

zohocorp/manageengine_servicedesk_plus_msp < 14.5

Published Jan 18, 2024

Tracked Since Feb 18, 2026