CVE-2019-15083 Information

Description

Default installations of Zoho ManageEngine ServiceDesk Plus 10.0 before 10500 are vulnerable to XSS injected by a workstation local administrator. Using the installed program names of the computer as a vector the local administrator can execute code on the Manage Engine ServiceDesk administrator side. At \Asset Home Server workstation software\ the administrator of ManageEngine can control what software is installed on the workstation. This table shows all the installed program names in the Software column. In this field a remote attacker can inject malicious code in order to execute it when the ManageEngine administrator visualizes this page.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Reference

http://packetstormsecurity.com/files/157717/ManageEngine-Service-Desk-10.0-Cross-Site-Scripting.html https://www.exploit-db.com/exploits/48473 https://www.manageengine.com/products/service-desk/on-premises/readme.htmlreadme105 https://www.manageengine.com/products/service-desk/readme.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

6.1