ManageEngine Application Manager contains multiple vulnerabilities that
could allow an unauthenticated, remote attacker to conduct cross-site
scripting attacks on a targeted system.
The vulnerability exists because the affected software fails to perform sufficient validation and sanitation of user-supplied input when processing crafted URLs. An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site and allow the attacker to access sensitive browser-based information.
Functional code that exploits this vulnerability is publicly available.
ManageEngine has not confirmed this vulnerability. Updated software is available; however, it is not known whether the update addresses this vulnerability.