Detections
Analytics
ManageEngine AssetExplorer < 6.1.0 Build 6113 Multiple XSS
low Nessus Plugin ID 86804
Language:
Synopsis
The remote web server is affected by multiple cross-site scripting vulnerabilities.Description
The version of ManageEngine AssetExplorer running on the remote host is prior to 6.1.0 build 6113. It is, therefore, affected by multiple cross-site scripting (XSS) vulnerabilities :- A cross-site scripting vulnerability exists due to improper validation of input to the Publisher name before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-2169)
- A cross-site scripting vulnerability exists in the VendorDef.do script due to improper validation of input to the 'organizationName' POST parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in the user's browser session. (CVE-2015-5061)
Solution
Upgrade ManageEngine AssetExplorer to version 6.1.0 build 6113 or later.See Also
Plugin Details
Severity: Low
ID: 86804
File Name: manageengine_assetexplorer_6113.nasl
Version: 1.8
Type: remote
Family: CGI abuses : XSS
Published: 11/9/2015
Updated: 3/18/2022
Supported Sensors: Nessus
Risk Information
CVSS Score Rationale: Score based on an in-depth analysis of the vulnerabilities.
VPR
Risk Factor: Low
Score: 3.8
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: manual
CVSS v3
Risk Factor: Low
Base Score: 3.1
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Vulnerability Information
CPE: cpe:/a:zoho:manageengine_assetexplorer
Required KB Items: installed_sw/ManageEngine AssetExplorer
Exploit Available: true
Exploit Ease: No exploit is required
Patch Publication Date: 9/23/2015
Vulnerability Publication Date: 6/22/2015
Reference Information
CVE: CVE-2015-2169, CVE-2015-5061