[] NeoSense
E X P L O I T S
title author type platform port cve id

Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting

Author: Vingroup
type: webapps
platform: multiple
port: nan
date_added: 2019-05-22 
date_updated: 2019-05-22 
verified: 0 
codes: CVE-2019-12189 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt47000/1.jpg 
application_url: 
# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting
# Date: 2019-05-21
# Exploit Author: Enter of VinCSS (Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12189


An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do search field.

The vulnerability stems from the confusion of both single quotes and semicolon in the query string of the URL.

payload: ';alert('XSS');' Attack vector: http:///site.com/SearchN.do
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.