[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
Title: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities
Risk (CVSS2 Base Score): Low (3.9)
Solutionary ID: SERT-VDN-1001
CVE ID: Pending
Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html
Product: ManageEngine EventLog Analyzer version 6.1
Application vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/
Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Vendor provided fix: No fix provided
Release coordinated with the vendor: N/A
Public disclosure date: 12/10/2010
Type of vulnerability: Cross-site Scripting (XSS)
Exploit vectors: Local and Remote
INDEX.do (HOST_ID, OS, GROUP, exportFile, load, type, tab) parameters
INDEX2.do (reported) parameter
hostlist.do (gId) parameter
globalSettings.do (newWindow) parameter
enableHost.do (STATUS) parameter
Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation.
Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable)
Impact: Successful attacks could disclose sensitive information about the user, session, and syslog clients to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code.
Fixed in: No fix currently available.
Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are provided to address the issue identified.
Keywords: security, vulnerability, ManageEngine, syslog, xss, event, log, cross-site scripting
Solutionary, Inc. Vulnerability Disclosure Policy