PT-2021-22836 · Zoho · Zoho Manageengine Log360

Published

2021-08-29

Updated

2021-09-01

CVE-2021-40178

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Log360 versions prior to Build 5224

Description The issue allows stored XSS via the LOGO PATH key value in the logon settings. This can potentially lead to malicious script execution when a user accesses the affected logon settings page.

Recommendations For versions prior to Build 5224, update to Build 5224 or later to resolve the issue. As a temporary workaround, consider restricting access to the logon settings page or disabling the LOGO PATH key value until a patch is applied. Avoid using the LOGO PATH key value in the logon settings until the issue is resolved.

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2021-40178

Affected Products

Zoho Manageengine Log360

PT-2021-22836 · Zoho · Zoho Manageengine Log360

CVE-2021-40178

Weakness Enumeration

Related Identifiers

Affected Products

References · 6