Headline
CVE-2023-38333: Security Updates - CVE Details - CVE-2023-38333
Zoho ManageEngine Applications Manager through 16530 allows reflected XSS while logged in.
Reflected XSS Vulnerability
Vulnerability Details
Severity
High
CVE ID
CVE-2023-38333
Affected software versions
Version 16530 and below
Fixed Version
Version 16367 to 16369
Version 16424 to 16429
Version 16512 to 16519
Version 16540 and above
Fixed On
3 July 2023
Details
Reflected XSS Vulnerability in a login url allows attacker to craft a malicious JavaScript payload. When clicking the crafted url that is shared by an attacker, malicious JavaScript gets executed in the victim browser.
Impact
This vulnerability executes JavaScript in the victim’s browser controlled by the attacker to carry out any of the actions that are applicable to the corresponding role of the victim in Applications Manager.
Fix
Applications Manager version 16540 and above fixes this issue by using proper defence mechanisms against Cross-Site Scripting(XSS) vulnerability.
Steps to update
Update your Applications Manager instance to the latest build using the service pack.
Source and Acknowledgements
Find out more about CVE-2023-38333 from CVE Directory and NIST NVD.
Reported by:
Anonymous working with Trend Micro Zero Day Initiative.
Need Help?
For clarification or corrections please contact our support team or email us at [email protected]