ManageEngine ServiceDesk Plus 8.0.0 < Build 8015 Multiple XSS Vulnerabilities

medium Nessus Plugin ID 57371

Synopsis

The remote web server hosts an application that may be affected by several cross-site scripting vulnerabilities.

Description

The remote host contains ManageEngine ServiceDesk Plus version 8.0.0 prior to build 8015. It is thus potentially affected by multiple cross-site scripting vulnerabilities. The following pages do not properly sanitize input to the following scripts and parameters :

- Page : 'AddSolution.do' Parameters : 'comments' and 'keywords'

- Page : 'AnnounceShow.do' Parameter : 'select'

- Pages : 'AddNewProblem.cc', 'ChangeDetails.cc' and 'Problems.cc' Parameter : 'reqName'

- Page : 'calendar/MiniCalendar.jsp' Parameter : 'module'

- Pages : 'HomePage.do' and 'jsp/ServiceCatalog.jsp' Parameter : 'serviceID'

- Page : 'WorkOrder.do' Parameters : 'attach', 'category', 'description', 'level', 'reqName' and 'title'.

Solution

Upgrade to ManageEngine ServiceDesk Plus version 8.0.0 build 8015 or later.

See Also

https://seclists.org/fulldisclosure/2011/Aug/221

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5039.php

http://www.nessus.org/u?a0eeced7

Plugin Details

Severity: Medium

ID: 57371

File Name: manageengine_servicedesk_8_0_0_build15.nasl

Version: 1.11

Type: remote

Published: 12/22/2011

Updated: 10/27/2021

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: Score based on analysis of the vendor advisory.

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: manual

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vulnerability Information

CPE: cpe:/a:manageengine:servicedesk_plus

Required KB Items: www/manageengine_servicedesk

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/16/2011

Vulnerability Publication Date: 8/23/2011

Reference Information

BID: 49291

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990