A new version of Help Desk Manager has been released and is available to download from the N-able downloads page.
New Features, Improvements, and Enhancements
- Software Library Upgrades:
- Upgraded Tomcat to version 9.0.96.
- Upgraded JDK to version 11.0.25.
Fixed Issues
- Checklist Deletion: Resolved an issue preventing users from deleting checklists.
- Ticket Visibility: Technicians can now see non-tech group assigned tickets in the My Ticket and Group Tickettabs.
- Outgoing Mail Authentication: Implemented Graph API authentication changes for outgoing mail accounts.
- Save Note Button: Fixed an issue where the “Save Note” button was disabled for tickets with custom fields (Currency).
- Session Stability: Resolved a session crash caused by specific character combinations in text fields.
- SSO/ADFS Login: Users can now successfully log in using SSO/ADFS.
Security Fixes
HDM-Specific CVEs
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2024-45709 | Help Desk Manager Local File Read | Help Desk Manager was susceptible to a local file read vulnerability. Exposure was limited to non-default development/test mode on Linux installations. | 5.3 Medium | Harsh Jaiswal, Project Discovery |
Third-Party CVEs
| CVE-ID | Vulnerability Title | Description | Severity |
|---|---|---|---|
| CVE-2020-26870 | Cross-Site Scripting (DOMPurify) | DOMPurify before 2.0.17 allowed mutation XSS due to serialize-parse inconsistencies, changing namespaces. | 6.1 Medium |
| CVE-2024-52316 | Unchecked Error Condition (Apache Tomcat) | Vulnerability in Apache Tomcat allowed potential authentication bypass in certain custom configurations. Fixed in Tomcat 9.0.96 and higher. | 9.8 Critical |
| CVE-2024-45801 | Cross-Site Scripting (DOMPurify) | DOMPurify versions before 2.5.4 and 3.1.3 were vulnerable to nesting-based mXSS attacks. | 7.3 High |
| CVE-2024-47875 | Cross-Site Scripting (DOMPurify) | DOMPurify versions before 2.5.0 and 3.1.3 were vulnerable to nesting-based mXSS attacks. | 9.8 Critical |
| CVE-2024-48910 | Prototype Pollution (DOMPurify) | DOMPurify versions before 2.4.2 were vulnerable to prototype pollution, allowing attackers to tamper with data. | 9.1 Critical |
Upgrade Recommendations
We strongly encourage all users to upgrade to the latest version to take advantage of new features, fixes, and security enhancements.