CVE-2019-8927

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2

Description An issue exists in the Administration zone of the software. Cross-site scripting (XSS) is possible in the /netflow/jspui/scheduleConfig.jsp file via several GET parameters, including devSrc, emailId, excWeekModify, filterFlag, getFilter, mailReport, mset, popup, rep schedule, rep Type, schDesc, schName, schSource, selectDeviceDone, task, val10, and val11.

Recommendations For Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2, consider restricting access to the vulnerable /netflow/jspui/scheduleConfig.jsp file until a patch is available. As a temporary workaround, avoid using the specified GET parameters in this file to minimize the risk of exploitation.