CVE-2021-46065: 
Zoho ManageEngine ServiceDesk Plus vulnerability analysis and mitigation

A Cross-site scripting (XSS) vulnerability (CVE-2021-46065) was discovered in the Secondary Email Field of Zoho ManageEngine ServiceDesk Plus version 11.3 Build 11306. The vulnerability was disclosed on January 27, 2022, and allows attackers with high privileges to inject arbitrary JavaScript code (NVD, MITRE).

The vulnerability exists in the Secondary Email Field validation mechanism which properly validates email TLD sections but fails to properly sanitize HTML tags, allowing the rendering of injected HTML and execution of JavaScript code. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD, GitHub Findings).

The vulnerability allows attackers with high privileges to execute arbitrary JavaScript code through the Secondary Email Field. This could potentially lead to unauthorized access to sensitive information and compromise of user sessions within the application's scope (NVD).

The vulnerability has been patched by ManageEngine with the update ID SD-98506. Users should upgrade to version 12001 or later to address this vulnerability (GitHub Findings, ManageEngine Readme).