ManageEngine ADSelfService Plus < 5.3 Build 5313 PasswordSelfServiceAPI XSS
Medium Nessus Plugin ID 91989
SynopsisA web application running on the remote host is affected by a cross-site scripting vulnerability.
DescriptionThe ManageEngine ADSelfService Plus application running on the remote host is affected by a cross-site scripting (XSS) vulnerability in PasswordSelfServiceAPI due to improper sanitization of user-supplied input to the 'PSS_OPERATION' parameter. An unauthenticated, remote attacker can exploit this, via a specially crafted URL, to execute arbitrary scripting code in the user's browser session. An attacker can also exploit this issue to disclose cookie-based authentication credentials.
SolutionUpgrade to ManageEngine ADSelfService Plus version 5.3 build 5313 or later.