Lucene search
Murat Aydemir1337DAY-ID-31657HistoryNov 20, 2018 - 12:00 a.m.
Zoho ManageEngine OpManager 12.3 Cross Site Scripting Vulnerability
2018-11-2000:00:00
Murat Aydemir
0day.today
36
EPSS
0.003
Percentile
65.1%
Zoho ManageEngine OpManager versions 12.3 before build 123223 have a cross site scripting vulnerability via the updateWidget API.
I. VULNERABILITY
-------------------------
Zoho ManageEngine OpManager 12.3 before Build 123223 has XSS via the
updateWidget API.
II. CVE REFERENCE
-------------------------
CVE-2018-19288
III. VENDOR
-------------------------
https://www.manageengine.com
IV. TIMELINE
-------------------------
17/10/18 Vulnerability discovered
18/10/18 Vendor contacted
18/11/2018 OPManager replay that they fixed
V. CREDIT
-------------------------
Murat Aydemir from Biznet Bilisim A.S.
VI. DESCRIPTION
-------------------------
ManageEngine OPManager product(version 12.3) was vulnerable to stored
xss attacks. A successfully exploit of this attack could allow thief
users sessions or arbitrary interpret javascript code on remote host.
References: https://www.manageengine.com/network-monitoring/help/read-me.html,
https://bugbounty.zoho.com/bb/info#hof
VII. Remediation
-------------------------
Its recommended to update latest version of OPManager.
https://www.manageengine.com/network-monitoring/download.html
# 0day.today [2018-12-12] #Related
cve
cve
CVE-2018-19288
2018-11-15 06:29:00
cvelist
cvelist
CVE-2018-19288
2018-11-15 06:00:00
prion
prion
Code injection
2018-11-15 06:29:00
nvd
nvd
CVE-2018-19288
2018-11-15 06:29:00