This host is running ManageEngine ServiceDesk Plus and is prone to multiple stored cross site scripting vulnerabilities.

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. This may allow an attacker to steal cookie-based authentications and launch further attacks. Impact Level: Application

Upgrade to ManageEngine ServiceDesk Plus 8.0 Build 8015 or later For updates refer to http://www.manageengine.com/

Multiple flaws are due to an error in, -'WorkOrder.do', 'Problems.cc', 'AddNewProblem.cc', 'ChangeDetails.c' when processing the 'reqName' parameter. - 'WorkOrder.do' when processing the verious parameters. - 'AddSolution.do' when handling add action via ' keywords' and 'comment' parameters. - 'ContractDef.do' when processing the 'supportDetails', 'contractName' and 'comments' parameters. - 'VendorDef.do' and 'MarkUnavailability.jsp' hen processing the 'organizationName' and 'COMMENTS' parameters. - 'HomePage.do', 'MySchedule.do', and 'WorkOrder.d' when handling the HTTP header elements 'referer' and 'accept-language'.

ManageEngine ServiceDesk Plus 8.0 Build 8013 and prior.

• http://packetstormsecurity.org/files/view/104365/ZSL-2011-5039.txt
• http://www.manageengine.com/products/service-desk/readme-8.0.html

---

Updated on 2015-03-25