PT-2018-11527 · Zoho · Zoho Manageengine Network Configuration Manager+4
Unh3X
+1
·
Published
2018-06-29
·
Updated
2023-12-07
·
CVE-2018-12998
CVSS v2.0
4.3
Medium
| Vector | AV:N/AC:M/Au:N/C:N/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine Netflow Analyzer versions prior to build 123137
Zoho ManageEngine Network Configuration Manager versions prior to build 123128
Zoho ManageEngine OpManager versions prior to build 123148
Zoho ManageEngine OpUtils versions prior to build 123161
Zoho ManageEngine Firewall Analyzer versions prior to build 123147
Description
A reflected Cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the
operation parameter to the "/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet" API endpoint.Recommendations
For Zoho ManageEngine Netflow Analyzer versions prior to build 123137, update to build 123137 or later.
For Zoho ManageEngine Network Configuration Manager versions prior to build 123128, update to build 123128 or later.
For Zoho ManageEngine OpManager versions prior to build 123148, update to build 123148 or later.
For Zoho ManageEngine OpUtils versions prior to build 123161, update to build 123161 or later.
For Zoho ManageEngine Firewall Analyzer versions prior to build 123147, update to build 123147 or later.
As a temporary workaround, consider restricting access to the "/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet" API endpoint and avoid using the
operation parameter until a patch is applied.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Firewall Analyzer
Zoho Manageengine Netflow Analyzer
Zoho Manageengine Network Configuration Manager
Zoho Manageengine Opmanager
Zoho Manageengine Oputils