Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting Vulnerability

2019-05-23T00:00:00
ID 1337DAY-ID-32770
Type zdt
Reporter Vingroup
Modified 2019-05-23T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            # Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
# Exploit Author: Enter of VinCSS (Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12189


An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.

payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do

#  0day.today [2019-05-24]  #