Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-05-14T13:45:08
Updated: 2024-08-05T00:34:53.239Z
Reserved: 2019-08-15T00:00:00
Link: CVE-2019-15083
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-05-14T14:15:11.600
Modified: 2024-11-21T04:28:01.047
Link: CVE-2019-15083
Redhat
No data.