I’m Matt Dunn, lead penetration tester at Raxis. Recently, I discovered a stored XSS in Support Center Plus. Here’s how a malicious actor might exploit it — and what you can do to prevent it.
Proof of Concept
The vulnerability can be triggered by inserting html content in the description field of a new request. The payload I inserted as a guest user was:
"><img src=x onerror="alert(document.cookie)"/>
This payload being inserted is shown here:
Raxis discovered this vulnerability on Manage Engine Support Center 11.0 Build 11019.
Upgrade ManageEngine AD Support Center Plus to Version 11.0 Build 11020 or later immediately which can be found here:
- Download Link – https://www.manageengine.com/products/support-center/service-packs.html
- Release Notes – https://pitstop.manageengine.com/portal/en/community/topic/manageengine-supportcenter-plus-version-11-0-build-11020-released
- February 2, 2022 – Vulnerability reported to Zoho
- February 14, 2022 – Zoho begins investigation into report
- February 21, 2022 – CVE-2022-25373 is assigned to this vulnerability
- March 22, 2022 – Zoho releases fixed version 11.0 Build 11020
- Mitre CVE – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25373
- NVD – https://nvd.nist.gov/vuln/detail/CVE-2022-25373