Vulnerability Details : CVE-2018-9163
Potential exploit
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2018-9163
- cpe:2.3:a:zohocorp:manageengine_recovery_manager_plus:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-9163
42.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-9163
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2018-9163
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-9163
-
https://www.exploit-db.com/exploits/44666/
ManageEngine Recovery Manager Plus 5.3 - Cross-Site ScriptingThird Party Advisory;VDB Entry
-
https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350
RecoveryManager Plus Release Notes - Highlights the new features, enhancements and bug fixes included in each release of this Active Directory backup and recovery tool.Release Notes
-
http://www.securityfocus.com/bid/103773
ZOHO ManageEngine Recovery Manager Plus CVE-2018-9163 HTML Injection VulnerabilityThird Party Advisory;VDB Entry
-
https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/
Zoho ManageEngine Recovery Manager Plus 5.3 (Build 5330) Stored Cross-Site-Scripting (XSS) Vulnerability [CVE-2018-9163] | Ahmet GÜRELExploit;Third Party Advisory
Jump to