Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ ZENworks Service Desk allows Cross-Site Scripting (XSS). The vulnerability could allow an attacker to execute arbitrary JavaScript leading to unauthorized actions on behalf of the user.This issue affects ZENworks Service Desk: 25.2, 25.3.
Published: 2026-03-18
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS) capable of arbitrary JavaScript execution leading to unauthorized user actions
Action: Patch immediately
AI Analysis

Impact

The vulnerability arises from improper neutralization of user input during web page generation in OpenText ZENworks Service Desk. It allows attackers to inject and execute arbitrary JavaScript in the victim’s browser, enabling actions performed as the authenticated user. This is a classic Reflected or Stored XSS flaw (CWE‑79) with potential to compromise confidentiality, integrity, or availability of user sessions. The CVSS score of 7.4 indicates a high severity impact if successfully exploited.

Affected Systems

Affected products are OpenText ZENworks Service Desk versions 25.2 and 25.3, as identified by the vendor and supported CPE entries cpe:2.3:a:opentext:zenworks_service_desk:25.2:* and cpe:2.3:a:opentext:zenworks_service_desk:25.3:*. These versions expose the input handling paths that allow the XSS payload to be rendered.

Risk and Exploitability

The vulnerability is remotely exploitable via the web interface; an attacker could supply crafted input through standard request parameters or form fields. The EPSS score of <1% suggests low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, given the high CVSS score, organizations running 25.2 or 25.3 should treat this as a significant risk and prioritize remediation.

Generated by OpenCVE AI on March 19, 2026 at 16:25 UTC.

Remediation

Vendor Solution

https://portal.microfocus.com/s/article/KM000045873?language=en_US

OpenCVE Recommended Actions

  • Apply the vendor patch for ZENworks Service Desk 25.2 and 25.3 using the instructions at https://portal.microfocus.com/s/article/KM000045873?language=en_US.
  • Verify that the patch has been successfully applied on all affected instances.
  • Validate that the web application no longer accepts malicious script inputs by testing known XSS vectors.
  • Continuously monitor user sessions for anomalous activity and review logs for signs of exploitation.

Generated by OpenCVE AI on March 19, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opentext:zenworks_service_desk:25.2:*:*:*:*:*:*:*
cpe:2.3:a:opentext:zenworks_service_desk:25.3:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Opentext
Opentext zenworks Service Desk
Vendors & Products Opentext
Opentext zenworks Service Desk

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText™ ZENworks Service Desk allows Cross-Site Scripting (XSS). The vulnerability could allow an attacker to execute arbitrary JavaScript leading to unauthorized actions on behalf of the user.This issue affects ZENworks Service Desk: 25.2, 25.3.
Title XSS Vulnerability discovered in OpenText™ ZENworks Service Desk.
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:D/RE:M/U:Amber'}

Subscriptions

Opentext Zenworks Service Desk
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-03-18T14:12:07.586Z

Reserved: 2026-02-26T15:39:16.290Z

Link: CVE-2026-3278

cve-icon Vulnrichment

Updated: 2026-03-18T14:12:02.759Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T14:16:40.813

Modified: 2026-03-19T14:57:16.767

Link: CVE-2026-3278

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:45Z

Weaknesses