ManageEngine EventLog Analyzer 'j_username' XSS

medium Nessus Plugin ID 77480

Language:

Synopsis

The remote web server hosts an application that is affected by a cross-site scripting vulnerability.

Description

The remote web server fails to sanitize user-supplied input to the 'j_username' parameter of the 'j_security_check' script before using it to generate dynamic HTML output.

An attacker can exploit this flaw to inject arbitrary HTML or script code into a user's browser to be executed within the security context of the affected site.

Note that the application may also be affected by an information disclosure vulnerability, although Nessus has not tested for this.

Solution

There is currently no known solution.

Plugin Details

Severity: Medium

ID: 77480

File Name: manageengine_eventlog_analyzer_j_username_xss.nasl

Version: 1.5

Type: remote

Family: CGI abuses : XSS

Published: 9/2/2014

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.8

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_eventlog_analyzer

Required KB Items: installed_sw/ManageEngine EventLog Analyzer

Exploit Ease: No exploit is required

Vulnerability Publication Date: 12/12/2013

Reference Information

CVE: CVE-2014-5103

BID: 65018, 68854

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

Detections

Analytics