CVE-2019-8928

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2

Description A security issue was found in the software, where a cross-site scripting (XSS) attack is possible. This occurs in the "/netflow/jspui/userManagementForm.jsp" API endpoint via the authMeth, passWord, pwd1, and userName GET parameters.

Recommendations For Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2, as a temporary workaround, consider restricting access to the "/netflow/jspui/userManagementForm.jsp" endpoint until a patch is available. Avoid using the authMeth, passWord, pwd1, and userName parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.