Exploitation Summary
CVE-2018-12998 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
Nuclei Templates (1)
Zoho manageengine - Cross-Site Scripting
MEDIUMby pikpikcu
References (4)
Core 4
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/unh3x/just4cve/issues/10
Exploit, Third Party Advisory x_refsource_misc
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036
Exploit, Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Jul/75
Scores
CVSS v3
6.1
EPSS
0.9846
EPSS Percentile
99.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
VulnCheck KEV
2025-06-11
CWE
CWE-79
Status
published
Products (5)
zohocorp/firewall_analyzer
zohocorp/manageengine_netflow_analyzer
zohocorp/manageengine_network_configuration_manager
zohocorp/manageengine_opmanager
zohocorp/manageengine_oputils
Published
Jun 29, 2018
Tracked Since
Feb 18, 2026