PT-2018-13800 · Zoho · Zoho Manageengine Supportcenter Plus
Published
2018-09-21
·
Updated
2018-11-09
·
CVE-2018-16965
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine SupportCenter Plus versions prior to 8.1 Build 8109
Description
The issue concerns HTML Injection and Stored XSS. It can be exploited via the /ServiceContractDef.do
contractName parameter.Recommendations
For versions prior to 8.1 Build 8109, update to version 8.1 Build 8109 or later to resolve the issue. As a temporary workaround, consider restricting access to the /ServiceContractDef.do endpoint or avoiding the use of the
contractName parameter until the update is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Supportcenter Plus