CVE-2014-4930

Name of the Vulnerable Software and Affected Versions ManageEngine EventLog Analyzer versions prior to 9.0 build 9002

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters, including width, height, url, helpP, tab, module, completeData, RBBNAME, TC, rtype, eventCriteria, q, flushCache, or product.

Recommendations For ManageEngine EventLog Analyzer versions prior to 9.0 build 9002, update to a version that includes the fix, such as Build 11072 or later. As a temporary workaround, consider restricting access to the event/index2.do endpoint until the issue is resolved. Avoid using the vulnerable parameters in the affected endpoint until the issue is fixed.