ZOHO ManageEngine Event LogAnalyzer is prone to a HTML injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Information
Exploit
The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.
References:
- ManageEngine EventLog Analyzer 11.0 Build 11000- Stored Cross Site Scripting Att (Zoho Desk)
- ManageEngine EventLog Analyzer Homepage (Zoho Corporation)