CVE-2010-4841

Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine EventLog Analyzer 6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) HOST_ID, (2) OS, (3) GROUP, (4) exportFile, (5) load, (6) type, or (7) tab parameter to INDEX.do, the (8) reported parameter to INDEX2.do, the (9) gId parameter to hostlist.do, the (10) newWindow parameter to globalSettings.do, or the (11) STATUS parameter to enableHost.do. Fixed in Build 9000.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:N/I:P/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html

Configurations

Configuration 1 (hide)

cpe:2.3:a:manageengine:eventlog_analyzer:6.1:*:*:*:*:*:*:*

History

No history.

Information

Published : 2011-09-27 19:55

Updated : 2024-02-04 17:54

NVD link : CVE-2010-4841

Mitre link : CVE-2010-4841

CVE.ORG link : CVE-2010-4841

JSON object : View

Products Affected

manageengine

eventlog_analyzer

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2010-4841", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}]}, "published": "2011-09-27T19:55:03.060", "references": [{"url": "http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine EventLog Analyzer 6.1 allow remote attackers to inject arbitrary web script or HTML via the (1) HOST_ID, (2) OS, (3) GROUP, (4) exportFile, (5) load, (6) type, or (7) tab parameter to INDEX.do, the (8) reported parameter to INDEX2.do, the (9) gId parameter to hostlist.do, the (10) newWindow parameter to globalSettings.do, or the (11) STATUS parameter to enableHost.do. Fixed in Build 9000."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades cross-site scripting (XSS) en ManageEngine EventLog Analyzer 6.1 permiten a los atacantes remotos inyectar script web arbitrario o HTML a trav\u00e9s del (1) HOST_ID, (2) OS, (3) GROUP, (4) exportFile, (5) load , (6) tipo o (7) par\u00e1metro de pesta\u00f1a a INDEX.do, el (8) par\u00e1metro informado a INDEX2.do, el par\u00e1metro (9) gId a hostlist.do, el par\u00e1metro (10) newWindow a globalSettings.do, o el par\u00e1metro (11) STATUS para enableHost.do. Corregido en Build 9000."}], "lastModified": "2020-03-26T14:15:11.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:manageengine:eventlog_analyzer:6.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D8D7FF0-17E5-4253-ADA9-9E969700F295"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}