CVE-2024-38870

Vulnerability

Overview CVE-2024-38870 is a stored cross-site scripting (XSS) vulnerability in the Schedule Reports module of Zohocorp ManageEngine OpManager, OpManager Plus, OpManager MSP, and OpManager Enterprise Edition. The flaw arises from insufficient sanitization of user-supplied input when creating or editing scheduled reports, allowing an attacker to store arbitrary JavaScript code within the report configuration [1].

Exploitation

Conditions Exploitation requires an authenticated user with privileges to create or modify scheduled reports. The attacker injects malicious script into report fields (e.g., report name, description, or parameters). When other users (including administrators) view or execute the scheduled report, the injected script executes in their browser context, bypassing same-origin policy restrictions [1].

Impact

Successful exploitation enables the attacker to perform actions on behalf of the victim, such as stealing session cookies, exfiltrating sensitive data displayed in the OpManager interface, or performing unauthorized actions within the application. The CVSS v3 base score is 3.5 (Low), reflecting the requirement for authenticated access and user interaction [1].

Mitigation

The vendor has addressed the vulnerability in the following fixed builds: OpManager version 128104 (released June 14, 2024), version 128238 (released June 7, 2024), and version 128250 (released June 4, 2024). Users running affected versions (128103 and below, 128151–128237, or 128247–128249) should upgrade immediately to the corresponding fixed build. No workarounds are documented; updating is the recommended course of action [1].