← Advisories

ManageEngine ServiceDesk Plus 8.0 Multiple Stored XSS Vulnerabilities

Medium

Advisory ID

ZSL-2011-5039

Release Date

23 August 2011

Vendor

Zoho Corporation Pvt. Ltd. - http://www.manageengine.com

Affected Version

8.0.0 Build 8013 (Enterprise)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (English), Apache-Coyote/1.1, Java Servlet 2.4, Tomcat-5.0.28/JBoss-3.2.6

Summary

ServiceDesk Plus integrates your help desk requests and assets to help you manage your IT effectively. It helps you implement ITIL best practices and troubleshoot IT service requests faster. ServiceDesk Plus is a highly customizable, easy-to-implement help desk software.

Description

The application suffers from multiple stored XSS vulnerabilities. Input thru several parameters is not sanitized allowing the attacker to execute HTML code into user's browser session on the affected site. Also, couple of HTTP header elements are vulnerable to XSS.

Proof of Concept

servicedesk_xss.txtTXT

Disclosure Timeline

23.07.2011Vulnerabilities discovered.

26.07.2011Vendor contacted.

26.07.2011Vendor replies asking more details.

26.07.2011Sent vulnerability details to vendor.

26.07.2011Vendor confirms XSS issues assigning Issue ID: SD-39838.

01.08.2011Requested status update from vendor.

02.08.2011Vendor replies.

03.08.2011Working with the vendor.

08.08.2011Asked vendor for scheduled patch release date.