CVE-2007-3594

Name of the Vulnerable Software and Affected Versions ManageEngine OpManager versions 6 and 7

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in different API endpoints, including the name parameter in "/ping.do" and "/traceRoute.do" endpoints, reportName, displayName, and selectedNode parameters in the "/reports/ReportViewAction.do" endpoint, operation parameter in the "/admin/ServiceConfiguration.do" endpoint, and selectedNode and selectedTab parameters in the "/admin/DeviceAssociation.do" endpoint.

Recommendations For ManageEngine OpManager versions 6 and 7, consider disabling the affected API endpoints until a patch is available. Restrict access to the vulnerable parameters name, reportName, displayName, selectedNode, operation, and selectedTab to minimize the risk of exploitation. Avoid using these parameters in the affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.