CVE-2019-12542

MEDIUM

ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting via SearchN.do userConfigID Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-12542. PoCs published by Vingroup, tarantula-team.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the SearchN.do userConfigID parameter. The attack vector is provided as a URL with a crafted payload that triggers an XSS alert.

Description

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.

Exploits (2)

exploitdb WORKING POC
by Vingroup · textwebappsjava
https://www.exploit-db.com/exploits/46965

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the SearchN.do userConfigID parameter. The attack vector is provided as a URL with a crafted payload that triggers an XSS alert.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the target application's SearchN.do endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tarantula-team · poc
https://github.com/tarantula-team/CVE-2019-12542

This repository contains a functional proof-of-concept for an XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the SearchN.do userConfigID parameter. The payload demonstrates a reflected XSS attack using an img tag with an onerror event handler.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the vulnerable endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.manageengine.com/products/service-desk/readme.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tarantula-team/CVE-2019-12542

Scores

CVSS v3 6.1
EPSS 0.0603
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
zohocorp/manageengine_servicedesk_plus 9.3
Published Jun 05, 2019
Tracked Since Feb 18, 2026