Title: ManageEngine EventLog Analyzer Multiple Cross-site Scripting (XSS) Vulnerabilities Risk (CVSS2 Base Score): Low (3.9) Solutionary ID: SERT-VDN-1001 CVE ID: Pending Solutionary disclosure URL: http://www.solutionary.com/index/SERT/Vuln-Disclosures/ManageEngine-XSS-vulnerabilities.html Product: ManageEngine EventLog Analyzer version 6.1 Application vendor: ManageEngine Vendor URL: http://www.manageengine.com/products/eventlog/ Date discovered: 9/15/2010 Discovered by: Rob Kraus, Jose Hernandez, and Solutionary Engineering Research Team (SERT) Vendor notification date: 10/26/2010 Vendor response date: 11/12/2010 Vendor acknowledgment date: 12/2/2010 Vendor provided fix: No fix provided Release coordinated with the vendor: N/A Public disclosure date: 12/10/2010 Type of vulnerability: Cross-site Scripting (XSS) Exploit vectors: Local and Remote Vulnerability description: The web application management interface of ManageEngine contains multiple injection points, which allow for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the web application. The following parameters and web pages have been tested and verified; however, it is likely more views and parameters within the application are vulnerable: INDEX.do (HOST_ID, OS, GROUP, exportFile, load, type, tab) parameters INDEX2.do (reported) parameter hostlist.do (gId) parameter globalSettings.do (newWindow) parameter enableHost.do (STATUS) parameter Tested on: Windows XP, SP1, with EventLog Analyzer version 6.1 default installation. Affected software versions: ManageEngine EventLog Analyzer version 6.1 (previous versions may also be vulnerable) Impact: Successful attacks could disclose sensitive information about the user, session, and syslog clients to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code. Fixed in: No fix currently available. Remediation guidelines: The vendor has not provided any remediation guidelines to address this issue. Solutionary recommends upgrading the application if patches are provided to address the issue identified. Keywords: security, vulnerability, ManageEngine, syslog, xss, event, log, cross-site scripting Solutionary, Inc. Vulnerability Disclosure Policy http://www.solutionary.com/index/SERT/Vulnerability-Disclosure-Policy.html