ManageEngine Firewall Analyzer < 12.0 Multiple Vulnerabilities

medium Nessus Plugin ID 90446

Synopsis

The remote web server hosts an application that is affected by multiple vulnerabilities.

Description

The version of ManageEngine Firewall Analyzer running on the remote web server is prior to 12.0. It is, therefore, affected by multiple vulnerabilities :

- A SQL injection vulnerability exists in the runQuery.do script due to improper sanitization of user-supplied input to the 'RunQuerycommand' parameter. An authenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting the manipulation or disclosure of arbitrary data.

- Multiple cross-site scripting (XSS) vulnerabilities exist due to improper validation of user-supplied input.
A remote attacker can exploit these vulnerabilities to execute arbitrary script code in a user's browser session.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to ManageEngine Firewall Analyzer version 12.0.

See Also

http://www.nessus.org/u?15629b73

Plugin Details

Severity: Medium

ID: 90446

File Name: manageengine_firewall_analyzer_pre12_sqli.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 4/13/2016

Updated: 3/29/2022

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score from an in depth analysis done by tenable

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: manual

Vulnerability Information

CPE: x-cpe:/a:zohocorp:manageengine_firewall_analyzer

Required KB Items: installed_sw/ManageEngine Firewall Analyzer

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2016

Vulnerability Publication Date: 1/17/2016