Web application abuses : ManageEngine Applications Manager 9.x, 10.x Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.802424

Categoría: Web application abuses

Título: ManageEngine Applications Manager 9.x, 10.x Multiple Vulnerabilities - Active Check

Resumen: ManageEngine Applications Manager is prone to multiple; cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities.

Descripción: Summary:
ManageEngine Applications Manager is prone to multiple
cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities.

Vulnerability Insight:
The flaws are due to an input passed to the

- 'query', 'selectedNetwork', 'network', and 'group' parameters in various scripts is not
properly sanitised before being returned to the user.

- 'viewId' parameter to fault/AlarmView.do and 'period' parameter to showHistoryData.do is not
properly sanitised before being used in SQL queries.

Vulnerability Impact:
Successful exploitation will allow attacker to execute arbitrary
HTML and script code in a user's browser session in context of an affected site and compromise
the application, access or modify data, or exploit latent vulnerabilities in the underlying
database.

Affected Software/OS:
ManageEngine Applications Manager version 9.x and 10.x.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General
solution options are to upgrade to a newer release, disable respective features, remove the
product or replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2012-1062
BugTraq ID: 51796
http://www.securityfocus.com/bid/51796
http://packetstormsecurity.org/files/view/109238/VL-115.txt
http://www.vulnerability-lab.com/get_content.php?id=115
http://osvdb.org/78721
http://osvdb.org/78722
http://secunia.com/advisories/47724
XForce ISS Database: meapplicationsmanager-multiple-xss(72830)
https://exchange.xforce.ibmcloud.com/vulnerabilities/72830
Common Vulnerability Exposure (CVE) ID: CVE-2012-1063
XForce ISS Database: meapplication-multiple-sql-injection(72831)
https://exchange.xforce.ibmcloud.com/vulnerabilities/72831

Copyright Copyright (C) 2012 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.802424
Categoría:	Web application abuses
Título:	ManageEngine Applications Manager 9.x, 10.x Multiple Vulnerabilities - Active Check
Resumen:	ManageEngine Applications Manager is prone to multiple; cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities.
Descripción:	Summary: ManageEngine Applications Manager is prone to multiple cross-site scripting (XSS) and SQL injection (SQLi) vulnerabilities. Vulnerability Insight: The flaws are due to an input passed to the - 'query', 'selectedNetwork', 'network', and 'group' parameters in various scripts is not properly sanitised before being returned to the user. - 'viewId' parameter to fault/AlarmView.do and 'period' parameter to showHistoryData.do is not properly sanitised before being used in SQL queries. Vulnerability Impact: Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in context of an affected site and compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Affected Software/OS: ManageEngine Applications Manager version 9.x and 10.x. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2012-1062 BugTraq ID: 51796 http://www.securityfocus.com/bid/51796 http://packetstormsecurity.org/files/view/109238/VL-115.txt http://www.vulnerability-lab.com/get_content.php?id=115 http://osvdb.org/78721 http://osvdb.org/78722 http://secunia.com/advisories/47724 XForce ISS Database: meapplicationsmanager-multiple-xss(72830) https://exchange.xforce.ibmcloud.com/vulnerabilities/72830 Common Vulnerability Exposure (CVE) ID: CVE-2012-1063 XForce ISS Database: meapplication-multiple-sql-injection(72831) https://exchange.xforce.ibmcloud.com/vulnerabilities/72831
Copyright	Copyright (C) 2012 Greenbone AG