CVE-2019-12543

MEDIUM

Zoho ManageEngine ServiceDesk Plus 9.3 - Stored Cross-Site Scripting via PurchaseRequest.do serviceRequestId Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-12543. PoCs published by Vingroup, tarantula-team.

AI-analyzed exploit summary This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the PurchaseRequest.do serviceRequestId parameter. The attack vector is provided as a URL with an embedded XSS payload.

Description

An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.

Exploits (2)

exploitdb WORKING POC
by Vingroup · textwebappsjava
https://www.exploit-db.com/exploits/46966

This exploit demonstrates a Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3 via the PurchaseRequest.do serviceRequestId parameter. The attack vector is provided as a URL with an embedded XSS payload.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the target application's PurchaseRequest.do endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by tarantula-team · poc
https://github.com/tarantula-team/CVE-2019-12543

This repository contains a functional proof-of-concept for an XSS vulnerability in Zoho ManageEngine ServiceDesk Plus 9.3. The exploit leverages the 'serviceRequestId' parameter in the 'PurchaseRequest.do' endpoint to inject malicious JavaScript.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine ServiceDesk Plus 9.3
No auth needed
Prerequisites: Access to the target application's 'PurchaseRequest.do' endpoint
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Release Notes, Vendor Advisory x_refsource_misc
https://www.manageengine.com/products/service-desk/readme.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tarantula-team/CVE-2019-12543

Scores

CVSS v3 6.1
EPSS 0.0606
EPSS Percentile 92.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
zohocorp/manageengine_servicedesk_plus 9.3
Published Jun 05, 2019
Tracked Since Feb 18, 2026