CVE-2018-9163

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Recovery Manager Plus versions prior to 5.3 (Build 5350)

Description A stored Cross-site scripting (XSS) issue allows remote authenticated users with Add New Technician permissions to inject arbitrary web script or HTML via the loginName field to the "technicianAction.do" endpoint.

Recommendations For versions prior to 5.3 (Build 5350), update to version 5.3 (Build 5350) or later to resolve the issue. As a temporary workaround, consider restricting access to the "technicianAction.do" endpoint for users with Add New Technician permissions until the update is applied.