HTML Injection vulnerability in Manage Engine DesktopCentral UEM solution

INTRODUCTION

eSecForte Technologies Security Researcher – Abhinav Khanna found a HTML Injection vulnerability in the Manage Engine DesktopCentral and it has been assigned CVE-2019-16962 by the MITRE.

Manage Engine DesktopCentral is a Unified Endpoint Management (UEM) solution that helps manage servers, desktops, virtual machines, mobile phones, tablets, Its features includes Patch Management, Software Deployment, Remote Desktop Sharing, IT Asset Management, Desktop Configurations, Service Pack Installation, Active Directory Reports, User Administration, Mobile Device Management and many more.

Description:

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.

 

 

Impact:

A possible attack scenario is demonstrated below:

• Attacker discovers injection vulnerability and decides to use an HTML injection attack
• Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
• The user visits the page due to the page being located within a trusted domain
• The attacker’s injected HTML is rendered and presented to the user asking for a username and password
• The user enters a username and password, which are both sent to the attackers server

 

 

Recommendation:

• Your script should filter metacharacters from user input.

 

Steps to Reproduce: