Lucene search

MitreCVE-2009-4387

HistoryDec 22, 2009 - 11:30 p.m.

CVE-2009-4387

2009-12-2223:30:00

CWE-79

mitre

web.nvd.nist.gov

cve-2009-4387

cross-site scripting

xss protection

manageengine password manager pro

remote attacks

web script

html

nvd

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.8

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs.

Affected configurations

Nvd

Node

manageenginepassword_manager_proRange≤6.1

manageenginepassword_manager_proRange≤6.1-standard

manageenginepassword_manager_proMatch4.6

manageenginepassword_manager_proMatch4.7

manageenginepassword_manager_proMatch4.8

manageenginepassword_manager_proMatch5.0

manageenginepassword_manager_proMatch5.1

manageenginepassword_manager_proMatch5.2

manageenginepassword_manager_proMatch5.3

manageenginepassword_manager_proMatch5.4

manageenginepassword_manager_proMatch6.0

manageenginepassword_manager_pro6.1Range≤-free

VendorProductVersionCPE
manageenginepassword_manager_pro*cpe:2.3:a:manageengine:password_manager_pro:*:*:*:*:*:*:*:*
manageenginepassword_manager_pro*cpe:2.3:a:manageengine:password_manager_pro:*:-:standard:*:*:*:*:*
manageenginepassword_manager_pro4.6cpe:2.3:a:manageengine:password_manager_pro:4.6:*:*:*:*:*:*:*
manageenginepassword_manager_pro4.7cpe:2.3:a:manageengine:password_manager_pro:4.7:*:*:*:*:*:*:*
manageenginepassword_manager_pro4.8cpe:2.3:a:manageengine:password_manager_pro:4.8:*:*:*:*:*:*:*
manageenginepassword_manager_pro5.0cpe:2.3:a:manageengine:password_manager_pro:5.0:*:*:*:*:*:*:*
manageenginepassword_manager_pro5.1cpe:2.3:a:manageengine:password_manager_pro:5.1:*:*:*:*:*:*:*
manageenginepassword_manager_pro5.2cpe:2.3:a:manageengine:password_manager_pro:5.2:*:*:*:*:*:*:*
manageenginepassword_manager_pro5.3cpe:2.3:a:manageengine:password_manager_pro:5.3:*:*:*:*:*:*:*
manageenginepassword_manager_pro5.4cpe:2.3:a:manageengine:password_manager_pro:5.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
manageengine	password_manager_pro	*	cpe:2.3:a:manageengine:password_manager_pro::::::::
manageengine	password_manager_pro	*	cpe:2.3:a:manageengine:password_manager_pro::-:standard:::::
manageengine	password_manager_pro	4.6	cpe:2.3:a:manageengine:password_manager_pro:4.6:::::::*
manageengine	password_manager_pro	4.7	cpe:2.3:a:manageengine:password_manager_pro:4.7:::::::*
manageengine	password_manager_pro	4.8	cpe:2.3:a:manageengine:password_manager_pro:4.8:::::::*
manageengine	password_manager_pro	5.0	cpe:2.3:a:manageengine:password_manager_pro:5.0:::::::*
manageengine	password_manager_pro	5.1	cpe:2.3:a:manageengine:password_manager_pro:5.1:::::::*
manageengine	password_manager_pro	5.2	cpe:2.3:a:manageengine:password_manager_pro:5.2:::::::*
manageengine	password_manager_pro	5.3	cpe:2.3:a:manageengine:password_manager_pro:5.3:::::::*
manageengine	password_manager_pro	5.4	cpe:2.3:a:manageengine:password_manager_pro:5.4:::::::*

Rows per page:

1-10 of 121

References

forums.manageengine.com/#Topic/49000003740390

secunia.com/advisories/37765

www.manageengine.com/products/passwordmanagerpro/release-notes.html

www.scip.ch/?vuldb.4063

www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt

www.securityfocus.com/bid/37336

www.vupen.com/english/advisories/2009/3540

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

5.8

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

Related for CVE-2009-4387