Vulnerability Details CVE-2019-15083
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 78.2%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross-Site-Scripting.html
- https://www.exploit-db.com/exploits/48473
- https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105
- https://www.manageengine.com/products/service-desk/readme.html
- http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross-Site-Scripting.html
- https://www.exploit-db.com/exploits/48473
- https://www.manageengine.com/products/service-desk/on-premises/readme.html#readme105
- https://www.manageengine.com/products/service-desk/readme.html
Products affected by CVE-2019-15083
-
cpe:2.3:a:zohocorp:manageengine_servicedesk_plus:10.0.0