[原文]Cross-site scripting (XSS) vulnerability in SolutionSearch.do in ManageEngine ServiceDesk Plus 7.0.0 Build 7011 for Windows allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
[CNNVD]Windows ManageEngine ServiceDesk Plus ‘SolutionSearch.do’ 跨站脚本攻击漏洞(CNNVD-200803-191)
Windows ManageEngine ServiceDesk Plus 中的SolutionSearch.do存在跨站脚本攻击漏洞。远程攻击者通过searchText参数来注入任意web脚本或HTML。
ManageEngine ServiceDesk Plus SolutionSearch.do searchText Parameter XSS
Remote / Network Access
Input Manipulation
Loss of Integrity
Solution Unknown
Exploit Public
Uncoordinated Disclosure
–
漏洞描述
ManageEngine ServiceDesk Plus contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'searchText' variable upon submission to the 'SolutionSearch.do' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
–
时间线
2008-03-11
Unknow
Unknow
Unknow
–
解决方案
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.
![OWASP Top 10 - 2017 RC1[最新pdf]-微慑信息网-VulSee.com](http://vulsee.com/wp-content/uploads/2017/04/182.png)
![PHP 远程代码执行漏洞 (CVE-2019-11043)[附exploit]-微慑信息网-VulSee.com](https://vulsee.com/wp-content/uploads/2019/10/beepress9-1571831627-220x150.jpeg)
![[八卦] 王婷婷—揭秘一个大三女生的性爱录像-微慑信息网-VulSee.com](http://free.86hy.com/crack/pic/1.jpg)
![[随笔]今天国际警察节-微慑信息网-VulSee.com](http://photo.sohu.com/20041017/Img222528326.jpg)
青云网
