HTML Injection Vulnerability in ManageEngine Remote Access Plus by Zoho
CVE-2019-16268

4.8MEDIUM

Key Information:

Vendor: Zohocorp
Status: Manageengine Remote Access Plus
Vendor: CVE Published:; 3 February 2021

What is CVE-2019-16268?

The ManageEngine Remote Access Plus, version 10.0.259, is subject to an HTML injection vulnerability allowing attackers to manipulate the application through the Description field in the Admin - User Administration interface. This flaw could enable unauthorized actions by injecting malicious HTML into user profiles, potentially leading to data theft or service disruption. Proper input validation and sanitization measures are crucial to mitigate this issue and protect user data from exploitation.

References

https://www.esecforte.com/responsible-vulnerability-discl...

x_refsource_MISC

https://www.manageengine.com/remote-desktop-management/kn...

x_refsource_CONFIRM

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2021
Vulnerability Reserved
Sep 12, 2019

Zohocorp

What is CVE-2019-16268?

References

EPSS Score

CVSS V3.1

Timeline