PRTG Network Monitor login.htm errormsg Parameter XSS

medium Nessus Plugin ID 51876

Synopsis

The remote web server contains an application that is affected by a cross-site scripting vulnerability.

Description

The installed version of PRTG Network Monitor fails to sanitize input passed to 'errormsg' parameter in 'login.htm' before using it to generate dynamic HTML content.

An unauthenticated, remote attacker may be able to leverage this issue to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Solution

Upgrade to version 8.2.0.1898/1899

See Also

https://seclists.org/bugtraq/2011/Jan/168

https://www.paessler.com/prtg/prtg8history

Plugin Details

Severity: Medium

ID: 51876

File Name: prtg_network_monitor_login_errormsg_xss.nasl

Version: 1.12

Type: remote

Published: 2/4/2011

Updated: 3/4/2021

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from an in depth analysis done by tenable

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: manual

Vulnerability Information

Required KB Items: installed_sw/prtg_network_monitor

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/17/2011

Vulnerability Publication Date: 1/26/2011

Reference Information

BID: 46029

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

Secunia: 43076