PT-2019-7901 · Zoho · Zoho Manageengine Applications Manager

Published

2019-05-23

Updated

2019-05-27

CVE-2017-11739

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Application Manager version 13.1 Build 13100

Description The issue allows an authenticated user with administrative privileges to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field, which can be exploited by creating a widget that contains malicious JavaScript code.

Recommendations For Zoho ManageEngine Application Manager version 13.1 Build 13100, consider disabling the ability to add "Utility Widget" with a "Custom HTML or Text" field until a patch is available. Restrict access to the dashboard where the widget can be added to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2017-11739

Affected Products

Zoho Manageengine Applications Manager

PT-2019-7901 · Zoho · Zoho Manageengine Applications Manager

CVE-2017-11739

Weakness Enumeration

Related Identifiers

Affected Products

References · 6