CVE-2021-46065
Description
A Cross-site scripting (XSS) vulnerability in Secondary Email Field in Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attackers to inject arbitrary JavaScript code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in the Secondary Email field of Zoho ManageEngine ServiceDesk Plus 11.3 Build 11306 allows an attacker to inject arbitrary JavaScript.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the Secondary Email field of Zoho ManageEngine ServiceDesk Plus version 11.3 Build 11306 [1][2]. The input validation checks the email domain but does not sanitize HTML tags, allowing an attacker to inject arbitrary JavaScript code [2].
Exploitation
An attacker must have administrative privileges to manage users [2]. After logging in, the attacker navigates to the user management feature and edits or creates a user. In the Secondary Email field, a payload such as @example.com is entered and saved [2]. When the email address is rendered, the injected script executes in the context of the application [2].
Impact
Successful exploitation results in execution of arbitrary JavaScript in the browser of any user viewing the affected user's profile, leading to potential information disclosure, session hijacking, or other actions the victim can perform [2].
Mitigation
The vulnerability is fixed in ManageEngine ServiceDesk Plus version 12001 (build 12001) [2]. The fix is tracked under update ID SD-98506 [2]. No workaround is provided; upgrading to the fixed version is recommended [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ServiceDesk Plusdescription
- Range: = 11.3 Build 11306
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing HTML sanitization in the Secondary Email field allows arbitrary JavaScript injection."
Attack vector
An attacker with admin privileges navigates to the user management section and edits or creates a user. In the "Secondary Email" field, the attacker enters a payload such as `<script>alert(1)</script>@example.com` [ref_id=1]. The application validates the TLD portion of the email but renders the HTML tags, causing the injected JavaScript to execute when the field is displayed [ref_id=1].
Affected code
The vulnerability exists in the "Secondary Email" field of the user management module in ManageEngine ServiceDesk Plus 11.3 Build 11306 [ref_id=1]. The field validates the email TLD section but does not sanitize HTML tags, allowing arbitrary script injection [ref_id=1].
What the fix does
ManageEngine patched the issue in version 12001 with update ID SD-98506 [ref_id=1]. The advisory does not include a patch diff, but the fix presumably adds proper sanitization or encoding of HTML tags in the Secondary Email field to prevent JavaScript execution [ref_id=1].
Preconditions
- authAttacker must have admin privileges to access user management
- configThe application must be ManageEngine ServiceDesk Plus version 11.3 Build 11306
- inputAttacker must be able to input data into the Secondary Email field
Reproduction
1. Log in to ManageEngine ServiceDesk Plus 11.3 Build 11306 with an admin account. 2. Navigate to user management and create a new user or edit an existing user. 3. In the "Secondary Email" field, enter the payload `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/corrupted-brain/Findings/blob/main/ManageEngine%20XSS.mdmitrex_refsource_MISC
- www.manageengine.com/products/service-desk/on-premises/readme.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.