ManageEngine AssetExplorer < 5.6.0 Build 5614 XML Asset Data XSS

This script is Copyright (C) 2013-2016 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a cross-site scripting
vulnerability.

Description :

The version of ManageEngine AssetExplorer running on the remote host
is prior to 5.6.0 build 5614. It is, therefore, affected by a
cross-site scripting vulnerability in WsDiscoveryServlet due to
improper validation of certain XML asset data before returning it to
users. An unauthenticated, remote attacker can exploit this, via a
specially crafted request, to execute arbitrary script code in the
user's browser session.

See also :

http://www.nessus.org/u?9b97aaa3

Solution :

Upgrade ManageEngine AssetExplorer to version 5.6.0 build 5614 or
later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 63694 ()

Bugtraq ID: 56835

CVE ID: CVE-2012-5956

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial