ZOHO ManageEngine ServiceDesk Plus (SDP) Multiple Vulnerabilities - Feb15

Summary
This host is installed with ZOHO ManageEngine ServiceDesk Plus (SDP) and is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote authenticated attackers to gain access to ticket information and inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. Impact Level: Application
Solution
Upgrade to version 9.0 build 9031 or later, For updates refer http://www.manageengine.com/products/service-desk
Insight
Flaws are due to the CreateReportTable.jsp script not properly sanitizing user-supplied input to the 'site' parameter and not properly restricting access to (1) getTicketData action to servlet /AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports /flash/details.jsp, or (4) reports/CreateReportTable.jsp.
Affected
ZOHO ManageEngine ServiceDesk Plus (SDP) version before 9.0 build 9031
Detection
Get the installed version with the help of detect NVT and check the version is vulnerable or not.
References