HTML Injection vulnerability in ManageEngine Remote Access Plus


eSecForte Technologies Security Researcher – Tarun Sehgal found HTML Injection vulnerability in the ManageEngine Remote Access Plus and it has been assigned CVE-2019-16268 by the MITRE.

ManageEngine Remote Access Plus is an Enterprise Remote access software that helps system administrators and IT help desk technicians in troubleshooting remote computers from a central location.

Description: HTML Injection vulnerability

HTML injection is a type of injection vulnerability that occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page.




A possible attack scenario is demonstrated below:

  • Attacker discovers injection vulnerability and decides to use an HTML injection attack
  • Attacker crafts malicious link, including his injected HTML content, and sends it to a user via email
  • The user visits the page due to the page being located within a trusted domain
  • The attacker’s injected HTML is rendered and presented to the user asking for a username and password
  • The user enters a username and password, which are both sent to the attackers server




  • Your script should filter metacharacters from user input.


Steps to Reproduce:

1. Login using valid credentials and go to Roles.

HTML Injection vulnerability

2. Click on +Add Role button and put the HTML injection payload in Description parameter and click on Add button. The HTML Injection payload gets executed.

HTML Injection vulnerability
HTML Injection vulnerability

3. Likewise, other parameters in the application were found to be vulnerable to HTML Injection as well.

HTML Injection vulnerability

[Disclosure Process]


  1. Reported the Vulnerability to the Vendor Security or PSIRT Team.
  2. Acknowledged confirmed from the Vendor that vulnerability exists
  3. CVE has been filed in NVD
  4. The vendor confirms that the vulnerability is fixed or the latest version, the patch is released
  5. Vulnerability disclosed to the public.






[Has the vendor confirmed or acknowledged the vulnerability?]



Tarun Sehgal from eSec Forte Technologies Pvt Ltd