PRTG Network Monitor login.htm errormsg Parameter XSS

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server contains an application that is affected by a
cross-site scripting vulnerability.

Description :

The installed version of PRTG Network Monitor fails to sanitize input
passed to 'errormsg' parameter in 'login.htm' before using it to
generate dynamic HTML content.

An unauthenticated, remote attacker may be able to leverage this issue
to inject arbitrary HTML or script code into a user's browser to be
executed within the security context of the affected site.

See also :

http://archives.neohapsis.com/archives/fulldisclosure/2011-01/0479.html
http://www.paessler.com/prtg/prtg8history

Solution :

Upgrade to version 8.2.0.1898/1899

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:U/RC:ND)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 51876 ()

Bugtraq ID: 46029

CVE ID: