Vulnerability Description
A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Recovery Manager Plus | < 5.3 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/103773Third Party AdvisoryVDB Entry
- https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/44666/Third Party AdvisoryVDB Entry
- https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350Release Notes
- http://www.securityfocus.com/bid/103773Third Party AdvisoryVDB Entry
- https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3ExploitThird Party Advisory
- https://www.exploit-db.com/exploits/44666/Third Party AdvisoryVDB Entry
- https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350Release Notes
FAQ
What is CVE-2018-9163?
CVE-2018-9163 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject a...
How severe is CVE-2018-9163?
CVE-2018-9163 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-9163?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Recovery Manager Plus.