CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)

the exploit blog logo
The Exploit: Penetration Testing Insights From The Frontlines
Posted on July 6, 2022
CVE-2022-25373: ManageEngine Support Center Plus Stored Cross-Site Scripting (XSS)

Written by Raxis Research Team


I’m Matt Dunn, lead penetration tester at Raxis. Recently, I discovered a stored XSS in Support Center Plus. Here’s how a malicious actor might exploit it — and what you can do to prevent it.

Summary

A low-privileged user (e.g., the default guest user) can inject arbitrary JavaScript into the description of a new Request. When another user (including a high privileged user) views that request’s edit history, the payload is executed in the context of that new user’s browser. This can cause privilege escalation or other payload execution from low privileged users to other, possibly higher privileged users.

Proof of Concept

The vulnerability can be triggered by inserting html content in the description field of a new request. The payload I inserted as a guest user was:

"><img src=x onerror="alert(document.cookie)"/>

This payload being inserted is shown here:

Payload Inserted as Guest User

When another user (in this case an admin) views that request’s edit history, the JavaScript is executed in the context of the new user’s browser, as shown here:

Payload Execution in Admin User Session

This vulnerability allows any low privileged user to execute JavaScript on higher privileged or other low privilege user’s browsers once they view a request’s edit history. While the payload used here launches an alert box with the page’s cookie values, more dangerous payloads could be executed in this context as well.

Affected Versions

Raxis discovered this vulnerability on Manage Engine Support Center 11.0 Build 11019.

Remediation

Upgrade ManageEngine AD Support Center Plus to Version 11.0 Build 11020 or later immediately which can be found here:

Disclosure Timeline
  • February 2, 2022 – Vulnerability reported to Zoho
  • February 14, 2022 – Zoho begins investigation into report
  • February 21, 2022 CVE-2022-25373 is assigned to this vulnerability
  • March 22, 2022 – Zoho releases fixed version 11.0 Build 11020

CVE Links

 

Raxis Research Team

Raxis Research Team
The Raxis Research Team is dedicated to staying ahead of the threat landscape. Our experts dig into emerging exploits, uncover hidden vulnerabilities, and develop resources that power our penetration testing engagements. By combining curiosity with technical precision, the team equips Raxis testers with cutting-edge intelligence to simulate real-world attacks and strengthen client defenses.

Search The Exploit Blog

Blog Categories

Stay up to date with the latest in penetration testing

Name(Required)
Newsletter(Required)
Do you wish to join our newsletter? We send out emails once a month that cover the latest in cybersecurity news. We do not sell your information to other parties.