CVE-2020-6843
Description
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 allows XSS. This issue was fixed in version 11.0 Build 11010, SD-83959.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zoho ManageEngine ServiceDesk Plus 11.0 Build 11007 is vulnerable to cross-site scripting (XSS), allowing attackers to inject malicious scripts; fixed in version 11.0 Build 11010.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Zoho ManageEngine ServiceDesk Plus version 11.0 Build 11007 [3]. The issue allows an attacker to inject arbitrary JavaScript code into the application, which is then executed in the context of the victim's browser. The vulnerability was addressed in version 11.0 Build 11010 (SD-83959) [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious payload and injecting it into an input field or parameter that is not properly sanitized. The victim must then interact with the crafted content, such as viewing a page or clicking a link, for the script to execute. No authentication is required if the vulnerable endpoint is publicly accessible, but the exact attack vector is not detailed in the available references.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, data theft, defacement, or other malicious actions within the context of the ServiceDesk Plus application. The attacker gains the same privileges as the victim user.
Mitigation
The vulnerability is fixed in Zoho ManageEngine ServiceDesk Plus version 11.0 Build 11010, released on an unspecified date [1]. Users should upgrade to this version or later. No workarounds are documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ServiceDesk Plusdescription
- Range: = 11.0 Build 11007
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- packetstormsecurity.com/files/156050/ZOHO-ManageEngine-ServiceDeskPlus-11.0-Build-11007-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2020/Jan/32mitremailing-listx_refsource_FULLDISC
- sec-consult.com/en/vulnerability-lab/advisories/index.htmlmitrex_refsource_MISC
- seclists.org/bugtraq/2020/Jan/34mitremailing-listx_refsource_BUGTRAQ
- www.manageengine.com/products/service-desk/readme.htmlmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.