CVE-2017-11739

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Application Manager version 13.1 Build 13100

Description The issue allows an authenticated user with administrative privileges to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field, which can be exploited by creating a widget that contains malicious JavaScript code.

Recommendations For Zoho ManageEngine Application Manager version 13.1 Build 13100, consider disabling the ability to add "Utility Widget" with a "Custom HTML or Text" field until a patch is available. Restrict access to the dashboard where the widget can be added to minimize the risk of exploitation.