CVE-2015-5150

ManageEngine SupportCenter Plus 7.90 - Authenticated Cross-Site Scripting via Query Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-5150. PoCs published by Vulnerability-Lab.

AI-analyzed exploit summary This is a detailed vulnerability writeup for CVE-2025-5150, describing multiple vulnerabilities in ManageEngine SupportCenter Plus 7.90, including improper authentication, directory traversal, and reflected XSS. It provides technical details and proof-of-concept steps but does not include executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp.

Exploits (1)

exploitdb WRITEUP
by Vulnerability-Lab · textwebappsmultiple
https://www.exploit-db.com/exploits/37322

This is a detailed vulnerability writeup for CVE-2025-5150, describing multiple vulnerabilities in ManageEngine SupportCenter Plus 7.90, including improper authentication, directory traversal, and reflected XSS. It provides technical details and proof-of-concept steps but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Info Leak | Auth Bypass | Xss
Complexity
Moderate
Reliability
Reliable
Target: ManageEngine SupportCenter Plus 7.90
Auth required
Prerequisites: Active Directory integration configured · Low-privilege account access · Network connectivity to attacker-controlled domain for user import
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

EPSS 0.0426
EPSS Percentile 89.8%

Details

CWE
CWE-79
Status published
Products (1)
zohocorp/manageengine_supportcenter_plus 7.90
Published Jun 30, 2015
Tracked Since Feb 18, 2026