CVE-2019-15510: 
Zoho ManageEngine Desktop Central Server vulnerability analysis and mitigation

ManageEngine Desktop Central version 10 was found to be vulnerable to HTML injection (CVE-2019-15510). The vulnerability was discovered in the user administration pages where texts similar to HTML tags in user descriptions could create unwanted HTML injections, causing changes in the user data created (ManageEngine Doc).

The vulnerability exists in the user administration interface where input validation was insufficient for user description fields. When creating or modifying user descriptions, the application failed to properly sanitize text that resembled HTML tags, allowing them to be interpreted and executed by the browser (ManageEngine Doc).

This vulnerability could allow attackers to inject arbitrary HTML code into vulnerable web pages. The potential consequences include disclosure of user session cookies that could be used for impersonation, or more broadly, allowing attackers to modify page content seen by victims. When exploited, the injected HTML would be rendered and executed in the victim's browser context within the trusted domain (ESec Forte).

The vulnerability was identified and fixed by ManageEngine on November 4, 2019. Users should update their Desktop Central installation to the version containing the fix. The update can be applied by logging into the Desktop Central console and downloading the latest applicable build (ManageEngine Doc).