CVE-2018-16833
published 2018-09-21CVE-2018-16833: Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
PriorityP354medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
65.41%
99.2th percentile
Zoho ManageEngine Desktop Central 10.0.271 has XSS via the "Features & Articles" search field to the /advsearch.do?SUBREQUEST=XMLHTTP URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_desktop_central | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandq=">&src=sall&stab=Home&page=1&pagelimit=10&searchParamId=901&searchParamName=dm.advsearch.features.articles&id=1536666162979&isTriggerFromMenu=false&actionToCall=getSearchResults↗
- →Detect POST requests to /advsearch.do with SUBREQUEST=XMLHTTP query parameter, which is the vulnerable endpoint for this reflected XSS. ↗
- →Look for the X-Requested-With: XMLHttpRequest header combined with X-ZCSRF-TOKEN header in POST requests to /advsearch.do, indicative of exploit attempts. ↗
- →Inspect POST body for the 'q' parameter containing XSS payloads (e.g., quote/angle-bracket injection) alongside searchParamName=dm.advsearch.features.articles and actionToCall=getSearchResults. ↗
- →Monitor for Referer header referencing /homePage.do?actionToCall=homePageDetails on requests to /advsearch.do, consistent with the exploit flow. ↗
- ·The vulnerability is version-specific to ManageEngine Desktop Central 10.0.271; verify the exact version before applying detections to avoid false positives on patched instances. ↗
- ·This is a reflected (non-persistent) XSS; detection should focus on inbound POST request payloads rather than stored content. ↗
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-09-21
Published