Scrutinizer < 10.1.2 Multiple Vulnerabilities
High Nessus Plugin ID 65046
SynopsisThe remote host is running a web application that is affected by multiple vulnerabilities.
DescriptionThe version of Scrutinizer NetFlow and sFlow Analyzer running on the remote host is a version prior to 10.1.2, and is, therefore, potentially affected by the following vulnerabilities :
- A blind SQL injection vulnerability exists because the 'orderby' and 'gadget' parameters of 'fa_web.cgi' fail to properly sanitize user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
- The application is affected by multiple persistent cross-site scripting vulnerabilities in the following parameters / modules :
- 'BBSearchText' - New Board & Policy Manager
- 'Mytab' - Flow Expert
- 'newName' - MyView (CGI)
- 'groupName' - New Users & New Group
- 'username' - New Users & New Group
- 'groupMembers' - Mapping /Maps (CGI)
- 'Type' - Mapping /Maps (CGI)
- 'Checkbox Linklike' - Mapping /Maps (CGI)
- 'indexColumn' - Mapping /Maps (CGI)
- 'name' - Mapping /Maps (CGI)
- 'Object Name' - Mapping /Maps (CGI)
- 'settings groups(checkbox)' - Mapping /Maps (CGI)
- 'Policy Name' - Advanced Filters
- 'Board Name' - Advanced Filters
- 'Violators' - Advanced Filters
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Scrutinizer 10.1.2 or later.