cbcvebase.
CVE-2021-20080
published 2021-04-09

CVE-2021-20080: Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote…

PriorityP346medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
93.11%
99.8th percentile
Insufficient output sanitization in ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 allows a remote, unauthenticated attacker to conduct persistent cross-site scripting (XSS) attacks by uploading a crafted XML asset file.

Affected

13 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus
zohocorpmanageengine_servicedesk_plus

Detection & IOCsextracted from sources · hover to see the quote

url/discoveryServlet/WsDiscoveryServlet?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Zoho ManageEngine ServiceDesk Plus Unauthenticated Stored XSS (CVE-2021-20080)"; flow:established,to_server; http.uri; content:"/discoveryServlet/WsDiscoveryServlet|3f|"; fast_pattern; http.request_body; content:"inet|20|"; pcre:"/^[^\x0d\x0a]*?\x3b\x7d\x7b/R"; reference:url,www.tenable.com/security/research/tra-2021-11; reference:cve,2021-20080; classtype:web-application-attack; sid:2066203; rev:1; metadata:affected_product Zoho_ManageEngine, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2021_20080, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_12_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Monitor HTTP POST requests to /discoveryServlet/WsDiscoveryServlet (URI contains '?') with a request body containing 'inet ' — this is the unauthenticated upload endpoint exploited to deliver crafted XML asset files carrying stored XSS payloads.
  • Within the request body, look for the byte sequence ';}{' (hex 3b 7d 7b) following non-CRLF content — the PCRE pattern flags this as the malicious XML structure injected by the attacker.
  • The attack is unauthenticated — no session or credentials are required. Prioritize detections on perimeter and internal deployments, including TLS-decrypted traffic (tls_state TLSDecrypt / deployment SSLDecrypt).
  • The exploit targets ManageEngine ServiceDesk Plus before version 11200 and ManageEngine AssetExplorer before version 6800 via a crafted XML asset file upload.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.