CVE-2019-8928

MEDIUM

ManageEngine Netflow Analyzer Professional 7.0.0.2 - Stored Cross-Site Scripting via User Management Form Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-8928. PoCs published by Rafael Pedrero.

AI-analyzed exploit summary This is a writeup documenting multiple XSS and path traversal vulnerabilities in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2. It includes descriptions, PoC URLs, and mitigation advice but does not contain executable exploit code.

Description

An issue was discovered in Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2. XSS exists in /netflow/jspui/userManagementForm.jsp via these GET parameters: authMeth, passWord, pwd1, and userName.

Exploits (1)

exploitdb WRITEUP
by Rafael Pedrero · htmlwebappsjsp
https://www.exploit-db.com/exploits/46425

This is a writeup documenting multiple XSS and path traversal vulnerabilities in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2. It includes descriptions, PoC URLs, and mitigation advice but does not contain executable exploit code.

Classification
Writeup 100%
Attack Type
Xss | Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2
Auth required
Prerequisites: Authenticated access to the administration zone
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/46425/
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Feb/45

Scores

CVSS v3 6.1
EPSS 0.0165
EPSS Percentile 82.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
zohocorp/manageengine_netflow_analyzer 7.0.0.2
Published May 17, 2019
Tracked Since Feb 18, 2026