CVE-2019-15083
moderate-risk
Published 2020-05-14
Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector, the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At "Asset Home > Server > <workstation> > software" the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field, a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.
Do I need to act?
~
1.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Affected Vendors
References (8)
Third Party Advisory
http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross...
Third Party Advisory
https://www.exploit-db.com/exploits/48473
Third Party Advisory
http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross...
Third Party Advisory
https://www.exploit-db.com/exploits/48473
49
/ 100
moderate-risk
Severity
23/34 · High
Exploitability
5/34 · Minimal
Exposure
21/34 · High