CVE-2008-0474

Name of the Vulnerable Software and Affected Versions ManageEngine Applications Manager version 8.1 build 8100

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several parameters in different API endpoints, including: "jsp/DiscoveryProfiles.jsp" with the showlink parameter, "jsp/ThresholdActionConfiguration.jsp" with the attributeIDs, attributeToSelect, redirectto, and resourceid parameters, "jsp/UpdateGlobalSettings.jsp" with the page and redirect parameters, and "showTile.do" with the haid and returnpath parameters.

Recommendations For ManageEngine Applications Manager version 8.1 build 8100, consider disabling access to the vulnerable API endpoints until a patch is available. Restrict input for the showlink, attributeIDs, attributeToSelect, redirectto, resourceid, page, redirect, haid, and returnpath parameters to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved.