CVE-2023-28341

MEDIUM

Zoho ManageEngine Applications Manager <= 16340 - Unauthenticated Stored Cross-Site Scripting via Login Page

Title source: llm

Description

Stored Cross site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager through 16340 allows an unauthenticated user to inject malicious javascript on the incorrect login details page.

References (2)

Core 2

Core References

Product

https://manageengine.com

Patch, Vendor Advisory

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2023-28341.html

Scores

CVSS v3 6.1

EPSS 0.6338

EPSS Percentile 98.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (3)

zohocorp/manageengine_applications_manager 15.9 build15990

zohocorp/manageengine_applications_manager 16.3 build16300 (5 CPE variants)

zohocorp/manageengine_applications_manager 16.0 - 16.3

Published Apr 11, 2023

Tracked Since Feb 18, 2026