Skip to main content

Zenworks Service Desk EUVDEUVD-2026-12825

| CVE-2026-3278 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-18 OpenText
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 14:15 euvd
EUVD-2026-12825
Analysis Generated
Mar 18, 2026 - 14:15 vuln.today
CVE Published
Mar 18, 2026 - 13:49 nvd
HIGH 7.4

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ ZENworks Service Desk allows Cross-Site Scripting (XSS). The vulnerability could allow an attacker to execute arbitrary JavaScript leading to unauthorized actions on behalf of the user.This issue affects ZENworks Service Desk: 25.2, 25.3.

AnalysisAI

OpenText ZENworks Service Desk contains an improper input neutralization vulnerability (CWE-79 Cross-Site Scripting) that allows attackers to inject and execute arbitrary JavaScript in the context of a user's browser session. Affected versions are 25.2 and 25.3. Successful exploitation enables unauthorized actions on behalf of the user, including session hijacking, credential theft, or lateral movement within the service desk application.

Technical ContextAI

The vulnerability resides in the web page generation logic of OpenText ZENworks Service Desk (CPE: cpe:2.3:a:opentext:zenworks_service_desk:*:*:*:*:*:*:*:*), a service management and IT help desk solution. The root cause is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is rendered in HTML or JavaScript context without proper encoding or sanitization. This allows attackers to inject malicious script tags or event handlers that execute in the victim's browser, bypassing the same-origin policy through reflected or stored XSS mechanisms depending on the vulnerable input vector within the application.

RemediationAI

Users should immediately upgrade OpenText ZENworks Service Desk to a patched version released after 25.3; specific patch versions should be confirmed via the vendor advisory at https://portal.microfocus.com/s/article/KM000045873?language=en_US. As an interim control, restrict network access to the ZENworks Service Desk application to trusted internal networks or VPN-authenticated users only. Implement a Web Application Firewall (WAF) with rules to detect and block common XSS payloads, enable Content Security Policy (CSP) headers to limit script execution, and enforce HTTPS with HSTS to prevent man-in-the-middle attacks. Monitor application logs for suspicious input patterns and consider disabling untrusted user input features if operationally feasible until patching is complete.

Share

EUVD-2026-12825 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy