{"api_version":"1","generated_at":"2026-06-24T18:02:10+00:00","cve":"CVE-2018-9163","urls":{"html":"https://cve.report/CVE-2018-9163","api":"https://cve.report/api/cve/CVE-2018-9163.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-9163","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-9163"},"summary":{"title":"CVE-2018-9163","description":"A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2018-04-02 12:29:00","updated_at":"2019-02-27 19:18:00"},"problem_types":["CWE-79"],"metrics":[],"references":[{"url":"https://www.exploit-db.com/exploits/44666/","name":"44666","refsource":"EXPLOIT-DB","tags":["Third Party Advisory","VDB Entry"],"title":"ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting - Java webapps Exploit","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/","name":"https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/","refsource":"MISC","tags":["Exploit","Third Party Advisory"],"title":"Zoho ManageEngine Recovery Manager Plus 5.3 (Build 5330) Stored Cross-Site-Scripting (XSS) Vulnerability [CVE-2018-9163] | Ahmet GÜREL","mime":"text/html","httpstatus":"404","archivestatus":"200"},{"url":"https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350","name":"https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350","refsource":"CONFIRM","tags":["Release Notes"],"title":"RecoveryManager Plus Release Notes - Highlights the new features, enhancements and bug fixes included in each release of this Active Directory backup and recovery tool.","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/103773","name":"103773","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Malformed Request","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-9163","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-9163","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"9163","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zohocorp","cpe5":"manageengine_recovery_manager_plus","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2018","cve_id":"9163","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"zohocorp","cpe5":"manageengine_recovery_manager_plus","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2018-9163","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"name":"https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350","refsource":"CONFIRM","url":"https://www.manageengine.com/ad-recovery-manager/release-notes.html#5350"},{"name":"https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/","refsource":"MISC","url":"https://gurelahmet.com/cve-2018-9163-zoho-manageengine-recovery-manager-plus-5-3-build-5330-stored-cross-site-scripting-xss-vulnerability/"},{"name":"103773","refsource":"BID","url":"http://www.securityfocus.com/bid/103773"},{"name":"44666","refsource":"EXPLOIT-DB","url":"https://www.exploit-db.com/exploits/44666/"}]}},"nvd":{"publishedDate":"2018-04-02 12:29:00","lastModifiedDate":"2019-02-27 19:18:00","problem_types":["CWE-79"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.3,"impactScore":2.7},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":true}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:zohocorp:manageengine_recovery_manager_plus:*:*:*:*:*:*:*:*","versionEndExcluding":"5.3","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"9163","Ordinal":"125557","Title":"CVE-2018-9163","CVE":"CVE-2018-9163","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"9163","Ordinal":"1","NoteData":"A stored Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Recovery Manager Plus before 5.3 (Build 5350) allows remote authenticated users (with Add New Technician permissions) to inject arbitrary web script or HTML via the loginName field to technicianAction.do.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"9163","Ordinal":"2","NoteData":"2018-04-02","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"9163","Ordinal":"3","NoteData":"2018-07-03","Type":"Other","Title":"Modified"}]}}}