CVE-2021-20080

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

6.1MEDIUM

EPSS

18.6%

top 4.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Servicedesk Plus

Timeline

PublishedApr 9

Latest updateDec 9

Description

Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5manageengine_assetexplorerBefore 6800

▶CVEListV5manageengine_servicedesk_plusBefore 11200

▶NVDzohocorp/manageengine_servicedesk_plus12 versions+11

🔴Vulnerability Details

GHSA

GHSA-xf4h-3x4p-9w5m: Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a rem↗2022-05-24

▶

CVEList

CVE-2021-20080: Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a rem↗2021-04-09

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Unauthenticated Stored XSS (CVE-2021-20080)↗2025-12-09

▶