Zoho ManageEngine ServiceDesk Plus version 9.3 suffers from a cross site scripting vulnerability.
5744b5ba08b274ef8062fa3b9ecab06e
# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
# Date: 2019-05-21
# Exploit Author: Enter of VinCSS (Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12189
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.
The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.
payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do