CVE-2010-3274

ZOHO ManageEngine ADSelfService Plus <4.5.4500 - XSS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2010-3274. PoCs published by Core Security.

AI-analyzed exploit summary This exploit demonstrates a cross-site scripting (XSS) vulnerability in ManageEngine ADSelfService Plus. The PoC provides URLs with malicious payloads that execute arbitrary JavaScript in the context of the affected site when a user interacts with the injected content.

Description

Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Core Security · textwebappsphp

https://www.exploit-db.com/exploits/35331

View Code ZIP pw:eip

This exploit demonstrates a cross-site scripting (XSS) vulnerability in ManageEngine ADSelfService Plus. The PoC provides URLs with malicious payloads that execute arbitrary JavaScript in the context of the affected site when a user interacts with the injected content.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine ADSelfService Plus 4.4

No auth needed

Prerequisites: Access to the target application's web interface

MITRE ATT&CK