Description
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_misc
http://manageengine.com
Product x_refsource_misc
http://opmanager.com
Exploit, Third Party Advisory x_refsource_misc
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736
Scores
CVSS v3
5.4
EPSS
0.0147
EPSS Percentile
81.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
zohocorp/manageengine_opmanager
12.2
Published
May 23, 2019
Tracked Since
Feb 18, 2026