Summary
This host is running ManageEngine ServiceDesk Plus and is prone to multiple cross site scripting vulnerabilities.
Impact
Successful exploitation will allow attacker to execute arbitrary HTML and script code in a user's browser session in the context of a vulnerable site. This may allow an attacker to steal cookie-based authentications and launch further attacks.
Impact Level: Application
Solution
No solution or patch was made available for at least one year since disclosure of this vulnerability. Likely none will be provided anymore.
General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.
Insight
Multiple flaws are due to an error in,
- 'SetUpWizard.do' when handling configuration wizard (add new technician) action via 'Name' parameter.
- 'SiteDef.do' when handling add a new site action via 'Site name' parameter.
- 'GroupResourcesDef.do' when handling add a create group action via 'Group Name' parameter.
- 'LicenseAgreement.do' when handling add a new license agreement action via 'Agreement Number' parameter.
- 'ManualNodeAddition.do' when handling server configuration (computer) action via 'Name' parameter.
Affected
ManageEngine ServiceDesk Plus 8.0 Build 8013 and prior.
References
Severity
Classification
-
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- An Image Gallery Directory Traversal Vulnerability
- Apache ActiveMQ Source Code Information Disclosure Vulnerability
- 1024 CMS 1.1.0 Beta 'force_download.php' Local File Include Vulnerability
- Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
- Apache Rave User Information Disclosure Vulnerability