CVE-2019-16268 — Cross-site Scripting in Manageengine Remote Access Plus

CWE-79 — Cross-site Scripting CWE-74 — Injection3 documents3 sources

Severity

4.8MEDIUMNVD

EPSS

12.4%

top 6.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Remote Access Plus

Timeline

PublishedFeb 3

Latest updateMay 24

Description

Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.7 | Impact: 2.7

Affected Packages1 packages

▶NVDzohocorp/manageengine_remote_access_plus10.0.259

🔴Vulnerability Details

GHSA

GHSA-wpwr-fc52-h69c: Zoho ManageEngine Remote Access Plus 10↗2022-05-24

▶

CVEList

CVE-2019-16268: Zoho ManageEngine Remote Access Plus 10↗2021-02-03

▶