ManageEngine ServiceDesk Plus 8.0.0 < Build 8015 Multiple Cross-Site Scripting Vulnerabilities

This script is Copyright (C) 2011 Tenable Network Security, Inc.


Synopsis :

The remote web server hosts an application that may be affected by
several cross-site scripting vulnerabilities.

Description :

The remote host contains ManageEngine ServiceDesk Plus version 8.0.0
prior to build 8015. It is thus potentially affected by multiple
cross-site scripting vulnerabilities. The following pages do not
properly sanitize input to the following scripts and parameters :

- Page : 'AddSolution.do'
Parameters : 'comments' and 'keywords'

- Page : 'AnnounceShow.do'
Parameter : 'select'

- Pages : 'AddNewProblem.cc', 'ChangeDetails.cc'
and 'Problems.cc'
Parameter : 'reqName'

- Page : 'calendar/MiniCalendar.jsp'
Parameter : 'module'

- Pages : 'HomePage.do' and 'jsp/ServiceCatalog.jsp'
Parameter : 'serviceID'

- Page : 'WorkOrder.do'
Parameters : 'attach', 'category', 'description',
'level', 'reqName' and 'title'.

See also :

http://seclists.org/fulldisclosure/2011/Aug/221
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php
http://www.manageengine.com/products/service-desk/readme-8.0.html

Solution :

Upgrade to ManageEngine ServiceDesk Plus version 8.0.0 build 8015 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 57371 ()

Bugtraq ID: 49291

CVE ID: