This host is running ManageEngine ServiceDesk Plus and is prone to multiple cross site scripting vulnerabilities.

Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. This may allow an attacker to steal cookie-based authentications and launch further attacks. Impact Level: Application

No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.

Multiple flaws are due to an error in, - 'SetUpWizard.do' when handling configuration wizard (add new technician) action via 'Name' parameter. - 'SiteDef.do' when handling add a new site action via 'Site name' parameter. - 'GroupResourcesDef.do' when handling add a create group action via 'Group Name' parameter. - 'LicenseAgreement.do' when handling add a new license agreement action via 'Agreement Number' parameter. - 'ManualNodeAddition.do' when handling server configuration (computer) action via 'Name' parameter.

ManageEngine ServiceDesk Plus 8.0 Build 8013 and prior.

• http://sebug.net/exploit/20793/
• http://www.exploit-db.com/exploits/17586/
• http://xforce.iss.net/xforce/xfdb/68717

---

Updated on 2015-03-25