CVE-2018-9163
MEDIUMZohocorp Manageengine Recovery Manager Plus < 5.3 - XSS
Title source: ruleDescription
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
Exploits (1)
References (4)
Core 4
Core References
Release Notes x_refsource_confirm
https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350
Exploit, Third Party Advisory x_refsource_misc
https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/103773
Third Party Advisory, VDB Entry exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/44666/
Scores
CVSS v3
5.4
EPSS
0.0244
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
zohocorp/manageengine_recovery_manager_plus
< 5.3
Published
Apr 02, 2018
Tracked Since
Feb 18, 2026