You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a Reflected XSS in the Zoho ManageEngine Applications Manager 13 (13810 build) via the method parameter in /deleteMO.do?listview=true&method=deleteMO&viewmontype= GET request.
We apologise for the inconvenience this may have caused to our customers.
These issues were fixed in July itself, with the release of version 13820. Please upgrade to the latest version from here: http://bit.ly/APMDownload
Zoho manageengine Applications Manager 13 (13810 build) Reflected XSS
Date: 2018/07/18
Software Link: https://www.manageengine.com/products/applications_manager/download.html
Category: Web Application
Exploit Author: jacky xing From DBAppSecurity
Exploit Author's Email: jacky.xing@dbappsecurity.com.cn
CVE:CVE-2018-15169
I found a Reflected XSS in the Zoho ManageEngine Applications Manager 13 (13810 build) via the method parameter in
/deleteMO.do?listview=true&method=deleteMO&viewmontype= GET
request.Proof of Concept
Local test:
Demo site test:
Notice: This vul can reproduce without login.
The vendor has fixed the vulnerability:
https://www.manageengine.com/products/applications_manager/issues.html
The text was updated successfully, but these errors were encountered: