Monday 12 March 2018

Responsible Disclosure - ManageEngine EventLog Analyzer - Stored XSS - CVE-2018-7405

Stored Cross-Site Scripting Vulnerability:

Zoho ManageEngine EventLog Analyzer 11.10 is vulnerable to Stored Cross Site Scripting. In the log file import option, if an adversary uploads a log file with JavaScript (malicious content), the application is unable to sanitize and encode the input fields in the log file. The inserted JavaScript content is inserted in the Database and reflected on the Log Search Page.

An Adversary can execute scripts in a victim's browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user's browser using malware, etc

Zoho ManageEngine acknowledged the reported vulnerability and fix for the vulnerability has been released. EventLog Analyzer 11.12 Build 11120 Released on 7 Mar 2018.


Advisory/Release Notes

https://pitstop.manageengine.com/portal/community/topic/security-notice

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7405

https://www.manageengine.com/products/eventlog/release-notes.html