CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
48.2%
The version of ManageEngine EventLog Analyzer installed on the remote host is prior or equal to 11.0 Build 11000. It is, therefore, affected by a cross-site scripting (XSS) vulnerability. An attacker can exploit this flaw to inject arbitrary HTML or script code into a user’s browser to be executed within the security context of the affected site.
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(108592);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/08");
script_cve_id("CVE-2018-8721");
script_bugtraq_id(103424);
script_xref(name:"IAVB", value:"2018-B-0045-S");
script_name(english:"ManageEngine EventLog Analyzer XSS Vulnerability");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that is affected by
a cross-site scripting vulnerability");
script_set_attribute(attribute:"description", value:
"The version of ManageEngine EventLog Analyzer installed on the
remote host is prior or equal to 11.0 Build 11000. It is, therefore,
affected by a cross-site scripting (XSS) vulnerability. An
attacker can exploit this flaw to inject arbitrary HTML or script
code into a user's browser to be executed within the security
context of the affected site.
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number.");
# https://pitstop.manageengine.com/portal/en/community/topic/manageengine-eventlog-analyzer-11-0-build-11000-stored-cross-site-scripting-attack
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7e4d3ea5");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor for patch or upgrade solutions. At this time
the link to the patch in the bug report appears to be invalid.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8721");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/03/09");
script_set_attribute(attribute:"patch_publication_date", value:"2016/03/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/24");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:zohocorp:manageengine_eventlog_analyzer");
script_set_attribute(attribute:"stig_severity", value:"I");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("manageengine_eventlog_analyzer_detect.nbin");
script_require_keys("installed_sw/ManageEngine EventLog Analyzer");
script_require_ports("Services/www", 8400);
exit(0);
}
include('http.inc');
include('vcf.inc');
include('vcf_extras_zoho.inc');
var app = 'ManageEngine EventLog Analyzer';
var port = get_http_port(default:8400);
var app_info = vcf::zoho::fix_parse::get_app_info(app:app, port:port, webapp:TRUE);
var constraints = [
{'equal' : '11000', 'fixed_display': 'See vendor advisory'}
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING,
flags:{'xss':TRUE}
);
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS
Percentile
48.2%