CVE-2019-12541

MEDIUM

ManageEngine ServiceDesk Plus 9.3 - Stored Cross-Site Scripting via SolutionSearch.do searchText Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-12541. PoCs published by Vingroup, tarantula-team.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the SolutionSearch.do searchText parameter. The attack vector is provided as a URL with an embedded JavaScript alert payload.

Description

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SolutionSearch.do searchText parameter.

Exploits (2)

exploitdb WORKING POC
by Vingroup · textwebappsjava
https://www.exploit-db.com/exploits/46964

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the SolutionSearch.do searchText parameter. The attack vector is provided as a URL with an embedded JavaScript alert payload.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the target application's SolutionSearch.do endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tarantula-team · poc
https://github.com/tarantula-team/CVE-2019-12541

The repository contains a functional XSS payload for CVE-2019-12541, targeting Zoho ManageEngine ServiceDesk Plus 9.3 via the SolutionSearch.do searchText parameter. The payload demonstrates a reflected XSS vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the target application's SolutionSearch.do endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.manageengine.com/products/service-desk/readme.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tarantula-team/CVE-2019-12541

Scores

CVSS v3 6.1
EPSS 0.0603
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
zohocorp/manageengine_servicedesk_plus 9.3
Published Jun 05, 2019
Tracked Since Feb 18, 2026