The host is installed with Zoho ManageEngine ADSelfService Plus before build 6104 and is prone to a stored XSS vulnerability. A flaw is present in the application, which does not properly handle the e-mail address field. Successful exploitation allows stored XSS on the /webclient/index.html#/directory-search user search page.