CVE-2010-4841

Name of the Vulnerable Software and Affected Versions ManageEngine EventLog Analyzer version 6.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities that allow remote attackers to inject arbitrary web script or HTML. This can be achieved via various parameters to different API endpoints, such as the HOST ID, OS, GROUP, exportFile, load, type, or tab parameter to "INDEX.do", the reported parameter to "INDEX2.do", the gId parameter to "hostlist.do", the newWindow parameter to "globalSettings.do", or the STATUS parameter to "enableHost.do".

Recommendations For ManageEngine EventLog Analyzer version 6.1, update to a version that includes Build 9000 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "INDEX.do", "INDEX2.do", "hostlist.do", "globalSettings.do", and "enableHost.do", until the update is applied. Avoid using the vulnerable parameters, such as HOST ID, OS, GROUP, exportFile, load, type, tab, reported, gId, newWindow, and STATUS, in the respective API endpoints until the issue is resolved.