Headline
CVE-2023-29442: Security Updates - CVE Details - CVE-2023-29442
Zoho ManageEngine Applications Manager through 16390 allows DOM XSS.
DOM-Based XSS Vulnerability
Vulnerability Details
Severity
High
CVE ID
CVE-2023-29442
Affected software versions
Version 16390 and below
Fixed Version
Version 16362 to 16369
Version 16400 and above
Fixed On
06 March 2023
Details
DOM-Based XSS Vulnerability while accessing the proxy.html file allows attacker to craft an url with malicious JavaScript payload. When clicking the crafted url, that is shared by an attacker, malicious JavaScript gets executed in the victim browser.
Impact
This vulnerability executes JavaScript in the victim’s browser controlled by the attacker to carry out any of the actions that are applicable to the administrator users of Applications Manager.
Fix
Applications Manager version 16400 and above fixes this issue by removing the proxy.html file from the product since it is not required anymore.
Steps to update
Update your Applications Manager instance to the latest build using the service pack.
Source and Acknowledgements
Find out more about CVE-2023-29442 from CVE Directory and NIST NVD.
Reported by:
Rahul, ProjectDiscovery Security Research Team.
Need Help?
For clarification or corrections please contact our support team or email us at [email protected]