[CVE-2018-9163] Zoho ManageEngine Recovery Manager Plus 5.3 (Build 5330) Stored Cross-Site-Scripting (XSS) Vulnerability

Official Website: https://www.manageengine.com/ad-recovery-manager/

In the allows remote authenticated users with Add New Technician (s) section on the /admin/technicians page of the ManageEngine Recovery Manager Plus 5.3(Build 5330) application, allows remote authenticated users with the Login Name parameter is vulnerable to XSS. The parameters entered are written in the database and affect all users.

From the Add New Technician (s) page, it is possible to inject malicious web code inside Login Name parameter. The HTTP request looks like the following:

Ahmet Gürel

Cyber Security Researcher | Penetration Tester

Leave a Reply