CVE-2018-9163

MEDIUM

ManageEngine Recovery Manager Plus < 5.3 - Stored XSS via technicianAction.do loginName

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9163. PoCs published by Ahmet Gurel.

AI-analyzed exploit summary This exploit demonstrates a persistent cross-site scripting (XSS) vulnerability in ManageEngine Recovery Manager Plus 5.3 (Build 5330). The PoC shows how an authenticated attacker can inject malicious JavaScript code via the 'Login Name' parameter, which is stored in the database and affects all users.

Description

A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.

Exploits (1)

exploitdb WORKING POC

by Ahmet Gurel · textwebappsjava

https://www.exploit-db.com/exploits/44666

View Code ZIP pw:eip

This exploit demonstrates a persistent cross-site scripting (XSS) vulnerability in ManageEngine Recovery Manager Plus 5.3 (Build 5330). The PoC shows how an authenticated attacker can inject malicious JavaScript code via the 'Login Name' parameter, which is stored in the database and affects all users.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ManageEngine Recovery Manager Plus <= 5.3 (Build 5330)

Auth required

Prerequisites: Authenticated access to the application · Access to the Add New Technician page

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Release Notes x_refsource_confirm

https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350

Exploit, Third Party Advisory x_refsource_misc

https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/103773

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44666/

Scores

CVSS v3 5.4

EPSS 0.0499

EPSS Percentile 91.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

zohocorp/manageengine_recovery_manager_plus < 5.3

Published Apr 02, 2018

Tracked Since Feb 18, 2026