header-logo
Suggest Exploit
vendor:
ManageEngine ServiceDesk Plus
by:
Enter of VinCSS (Vingroup)
6.1
CVSS
MEDIUM
Cross-Site Scripting
79
CWE
Product Name: ManageEngine ServiceDesk Plus
Affected Version From: Zoho ManageEngine ServiceDesk Plus 9.3
Affected Version To: Zoho ManageEngine ServiceDesk Plus 9.3
Patch Exists: YES
Related CWE: CVE-2019-12189
CPE: a:zoho:manageengine_servicedesk_plus:9.3
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2019

Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field. The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL. payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do?searchString=';alert('XSS');'

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.
Source

Exploit-DB raw data:

# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
# Date: 2019-05-21
# Exploit Author: Enter of VinCSS (Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12189


An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.

payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do

Navigation

Suggest Exploit

Services By CQR