cbcvebase.
CVE-2018-16833
published 2018-09-21

CVE-2018-16833: Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.

PriorityP354medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
65.41%
99.2th percentile
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_desktop_central

Detection & IOCsextracted from sources · hover to see the quote

url/advsearch.do?SUBREQUEST=XMLHTTP
path/advsearch.do
commandq=">&src=sall&stab=Home&page=1&pagelimit=10&searchParamId=901&searchParamName=dm.advsearch.features.articles&id=1536666162979&isTriggerFromMenu=false&actionToCall=getSearchResults
  • Detect POST requests to /advsearch.do with SUBREQUEST=XMLHTTP query parameter, which is the vulnerable endpoint for this reflected XSS.
  • Look for the X-Requested-With: XMLHttpRequest header combined with X-ZCSRF-TOKEN header in POST requests to /advsearch.do, indicative of exploit attempts.
  • Inspect POST body for the 'q' parameter containing XSS payloads (e.g., quote/angle-bracket injection) alongside searchParamName=dm.advsearch.features.articles and actionToCall=getSearchResults.
  • Monitor for Referer header referencing /homePage.do?actionToCall=homePageDetails on requests to /advsearch.do, consistent with the exploit flow.
  • ·The vulnerability is version-specific to ManageEngine Desktop Central 10.0.271; verify the exact version before applying detections to avoid false positives on patched instances.
  • ·This is a reflected (non-persistent) XSS; detection should focus on inbound POST request payloads rather than stored content.

CVSS provenance

nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.