Detections
Analytics
ManageEngine ServiceDesk Plus 8.0.0 < Build 8015 Multiple XSS Vulnerabilities
medium Nessus Plugin ID 57371
Language:
Synopsis
The remote web server hosts an application that may be affected by several cross-site scripting vulnerabilities.Description
The remote host contains ManageEngine ServiceDesk Plus version 8.0.0 prior to build 8015. It is thus potentially affected by multiple cross-site scripting vulnerabilities. The following pages do not properly sanitize input to the following scripts and parameters :- Page : 'AddSolution.do' Parameters : 'comments' and 'keywords'
- Page : 'AnnounceShow.do' Parameter : 'select'
- Pages : 'AddNewProblem.cc', 'ChangeDetails.cc' and 'Problems.cc' Parameter : 'reqName'
- Page : 'calendar/MiniCalendar.jsp' Parameter : 'module'
- Pages : 'HomePage.do' and 'jsp/ServiceCatalog.jsp' Parameter : 'serviceID'
- Page : 'WorkOrder.do' Parameters : 'attach', 'category', 'description', 'level', 'reqName' and 'title'.
Solution
Upgrade to ManageEngine ServiceDesk Plus version 8.0.0 build 8015 or later.See Also
https://seclists.org/fulldisclosure/2011/Aug/221
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php
Plugin Details
Severity: Medium
ID: 57371
File Name: manageengine_servicedesk_8_0_0_build15.nasl
Version: 1.11
Type: remote
Family: CGI abuses : XSS
Published: 12/22/2011
Updated: 10/27/2021
Supported Sensors: Nessus
Risk Information
CVSS Score Rationale: Score based on analysis of the vendor advisory.
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.6
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: manual
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Information
CPE: cpe:/a:manageengine:servicedesk_plus
Required KB Items: www/manageengine_servicedesk
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 8/16/2011
Vulnerability Publication Date: 8/23/2011
Reference Information
BID: 49291