Detections
Analytics
ManageEngine OpManager XSS (CVE-2024-36038)
medium Nessus Plugin ID 201088
Language:
Synopsis
The remote web server hosts an application that is affected by a cross-side scripting vulnerability.Description
A cross-side scripting vulnerability exists in the configured proxy server for ManageEngine OpManager 12.8.234. A attacker can use this vulnerability to alter the intended functionality of the proxy server, potentially leading to credentials disclosure within a trusted session.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade ManageEngine OpManager according to the vendor advisory.See Also
https://www.manageengine.com/itom/advisory/cve-2024-36038.html
Plugin Details
Severity: Medium
ID: 201088
File Name: manageengine_opmanager_CVE-2024-36038.nasl
Version: 1.4
Type: remote
Family: CGI abuses
Published: 6/27/2024
Updated: 7/19/2024
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.2
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:N
CVSS Score Source: CVE-2024-36038
CVSS v3
Risk Factor: Medium
Base Score: 6.3
Temporal Score: 5.5
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:zohocorp:manageengine_opmanager
Required KB Items: installed_sw/ManageEngine OpManager
Exploit Ease: No known exploits are available
Patch Publication Date: 5/31/2024
Vulnerability Publication Date: 5/31/2024
Reference Information
CVE: CVE-2024-36038
IAVA: 2024-A-0374-S