ManageEngine AssetExplorer < 6.1.0 Build 6113 Multiple XSS

low Nessus Plugin ID 86804

Synopsis

The remote web server is affected by multiple cross-site scripting vulnerabilities.

Description

The version of ManageEngine AssetExplorer running on the remote host is prior to 6.1.0 build 6113. It is, therefore, affected by multiple cross-site scripting (XSS) vulnerabilities :

- A cross-site scripting vulnerability exists due to improper validation of input to the Publisher name before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-2169)

- A cross-site scripting vulnerability exists in the VendorDef.do script due to improper validation of input to the 'organizationName' POST parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-5061)

Solution

Upgrade ManageEngine AssetExplorer to version 6.1.0 build 6113 or later.

See Also

http://www.nessus.org/u?4e82c118

Plugin Details

Severity: Low

ID: 86804

File Name: manageengine_assetexplorer_6113.nasl

Version: 1.8

Type: remote

Published: 11/9/2015

Updated: 3/18/2022

Risk Information

CVSS Score Rationale: Score based on an in-depth analysis of the vulnerabilities.

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.7

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: manual

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

Vulnerability Information

CPE: cpe:/a:zoho:manageengine_assetexplorer

Required KB Items: installed_sw/ManageEngine AssetExplorer

Exploit Available: true

Exploit Ease: No exploit is required

Patch Publication Date: 9/23/2015

Vulnerability Publication Date: 6/22/2015

Reference Information

CVE: CVE-2015-2169, CVE-2015-5061

BID: 75389, 75411

EDB-ID: 37395