Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-14T13:45:08

Updated: 2024-08-05T00:34:53.239Z

Reserved: 2019-08-15T00:00:00

Link: CVE-2019-15083

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2020-05-14T14:15:11.600

Modified: 2024-11-21T04:28:01.047

Link: CVE-2019-15083

cve-icon Redhat

No data.