SB2022020138 - Multiple vulnerabilities in Zoho ManageEngine OpManager
Published: February 1, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: N/A)
The vulnerability allows a remote user to gain unauthorized access to otherwise restricted information.
The vulnerability exists due to global search implementation does not check user access role when displaying search results. A remote user can perform global search and obtain information that should not be otherwise accessible.
2) Stored cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data in the Schedule name field of Schedule page in NCM feature. A remote user can permanenlty inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Stored cross-site scripting (CVE-ID: N/A)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied datain the Change rule name field of Change Notification page in NCM feature. A remote user can permanenlty inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
Remediation
Install update from vendor's website.