CVE-2020-15521

high-risk

Published 2020-09-25

Zoho ManageEngine Applications Manager before 14 build 14730 has no protection against jsp/header.jsp Cross-site Scripting (XSS) .

Do I need to act?

~

7.3% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

-

Not on CISA KEV list

No confirmed active exploitation reported to CISA

?

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

6

CVSS 6.1/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Manageengine Applications Manager

Affected Vendors

Zohocorp

References (4)

Product https://www.manageengine.com

Vendor Advisory https://www.manageengine.com/products/applications_manager/issues.html#v14730

Product https://www.manageengine.com

Vendor Advisory https://www.manageengine.com/products/applications_manager/issues.html#v14730

62

/ 100

high-risk

Severity 23/34 · High

Exploitability 10/34 · Low

Exposure 29/34 · Critical