Pim J.F. Campers

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Applications Manager 9.x and 10.x allow remote attackers to inject arbitrary web script or HTML via the (1) period parameter to showHistoryData.do; (2) selectedNetwork, (3) network, or (4) group parameters to showresource.do; (5) header parameter to AlarmView.do; or (6) attName parameter to jsp/PopUp Graph.jsp. NOTE: the Search.do/query vector is already covered by CVE-2008-1566, and the jsp/ThresholdActionConfiguration.jsp redirectto vector is already covered by CVE-2008-0474.

**Name of the Vulnerable Software and Affected Versions** ManageEngine Applications Manager versions 9.x through 10.x **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `viewId` parameter to "fault/AlarmView.do" or the `period` parameter to "showHistoryData.do". **Recommendations** For versions 9.x through 10.x, update to a version that contains a fix for this issue, as using these versions poses a significant risk due to the SQL injection vulnerabilities.