CVE-2019-15510

Vulnerability

ManageEngine Desktop Central 10 (all builds prior to the 04-Nov-2019 fix) is vulnerable to HTML injection in the user administration page. The vulnerability arises because the role description field does not sanitize user input, allowing an attacker to inject arbitrary HTML code [1][2].

Exploitation

An attacker must be authenticated and have access to the User Administration module. By crafting a role description containing malicious HTML tags (e.g., `` asking for credentials), the injected content is rendered when an administrator views the user administration page. The attacker can then send a crafted link to a victim via email, tricking them into visiting the page within the trusted domain [1]. The victim's browser renders the injected HTML, which may ask for credentials and exfiltrate them to the attacker [1].

Impact

Successful HTML injection allows an attacker to alter the page content seen by victims, potentially leading to phishing attacks, disclosure of session cookies, or other client-side compromises. The injected HTML runs in the context of the trusted domain, making it easier to deceive users [1].

Mitigation

The issue was identified and fixed on 04-Nov-2019 [2]. Users should update to the latest build of ManageEngine Desktop Central (Endpoint Central) by applying the available PPM update. No workaround has been provided for unpatched versions [2].