Solutionary ID: SERT-VDN-1001
Risk Rating: Low
CVE ID: CVE-2010-4841
Product: ManageEngine EventLog Analyzer version 6.1
Application Vendor: ManageEngine
Vendor URL: http://www.manageengine.com/products/eventlog/
Date discovered: 9/15/2010
Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT)
Vendor notification date: 10/26/2010
Vendor response date: 11/12/2010
Vendor acknowledgment date: 12/2/2010
Public disclosure date: 12/10/2010
Type of vulnerability: Cross-site Scripting (XSS)
Exploit Vectors: Local and Remote
INDEX.do (HOST_ID, OS, GROUP, exportFile, load, type, tab) parameters
INDEX2.do (reported) parameter
hostlist.do (gId) parameter
globalSettings.do (newWindow) parameter
enableHost.do (STATUS) parameter
Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation. Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable)
Impact: Successful attacks could disclose sensitive information about the user, session, and syslog clients to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code.
Fixed in: No fix currently available.
Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are provided to address the issue identified.