CVE-2012-2585

Name of the Vulnerable Software and Affected Versions ManageEngine ServiceDesk Plus version 8.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via various means, including an e-mail message body or subject, using techniques such as a SCRIPT element, crafted Cascading Style Sheets (CSS) expression properties, or specific attributes of elements like IFRAME or META. This can lead to cross-site scripting (XSS) attacks.

Recommendations For ManageEngine ServiceDesk Plus version 8.1, consider disabling the processing of HTML and CSS elements in e-mail messages until a patch is available. Restrict access to the e-mail handling module to minimize the risk of exploitation. Avoid using the STYLE attribute of arbitrary elements and the SRC attribute of IFRAME elements in e-mail messages until the issue is resolved. As a temporary workaround, consider filtering out SCRIPT elements and crafted CSS expression properties from e-mail messages.