Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46065: Findings/ManageEngine XSS.md at main · corrupted-brain/Findings

A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.

CVE
Open in Source
#xss#vulnerability#git#java

Permalink

Stored Cross Site Scripting in ManageEngine ServiceDesk Plus

Description: In ManageEngine ServiceDesk Plus, an admin privileged user can manage other users. While creating new or editing existing users, we can see “Secondary Email” field. The input field was found validating email TLD section nicely but it was found that it also renders HTML tags. As a result it was possible to execute injected JavaScript as well. ManageEngine team fixed the issue and assigned ZVE-2021-3102 to track the vulnerability.

Vulnerable Product Version: 11.3 Build 11306

Fixed Product Version: 12001

Steps to reproduce:

  1. As we can see how the given tags were treated HTML Render

  2. Then I used the payload as <script>alert(1)</script>@example.com, and saved the email address. The injected code is executed as JavaScript popup. XSS popup

Later the issue has been patched by the ManageEngine with the update ID SD-98506

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE