ManageEngine AssetExplorer < 6.1.0 Build 6113 Multiple XSS

Medium Nessus Plugin ID 86804

Synopsis

The remote web server is affected by multiple cross-site scripting vulnerabilities.

Description

The version of ManageEngine AssetExplorer running on the remote host is prior to 6.1.0 build 6113. It is, therefore, affected by multiple cross-site scripting (XSS) vulnerabilities :

- A cross-site scripting vulnerability exists due to improper validation of input to the Publisher name before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-2169)

- A cross-site scripting vulnerability exists in the VendorDef.do script due to improper validation of input to the 'organizationName' POST parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-5061)

Solution

Upgrade ManageEngine AssetExplorer to version 6.1.0 build 6113 or later.

See Also

http://www.nessus.org/u?9b97aaa3

Plugin Details

Severity: Medium

ID: 86804

File Name: manageengine_assetexplorer_6113.nasl

Version: $Revision: 1.3 $

Type: remote

Published: 2015/11/09

Modified: 2016/05/20

Dependencies: 63692

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 4.3

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: CVSS2#E:POC/RL:U/RC:ND

Vulnerability Information

CPE: cpe:/a:zoho:manageengine_assetexplorer

Required KB Items: installed_sw/ManageEngine AssetExplorer

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2015/09/23

Vulnerability Publication Date: 2015/06/22

Reference Information

CVE: CVE-2015-2169, CVE-2015-5061

BID: 75389, 75411

EDB-ID: 37395