cnvd - cnvd-2015-00838

cnvd-2015-00838

Vulnerability from cnvd

Title: SupportCenter Plus存在多个跨站脚本漏洞

Description:

SupportCenter Plus是一个基于web的客户支持软件。

SupportCenter Plus存在多个跨站脚本漏洞。由于通过"fromCustomer" HTTP GET参数传递到"/HomePage.do"脚本,"username"和"password" HTTP POST参数传递到"/HomePage.do"脚本的输入在被返回给用户之前未能正确过滤，攻击者可以利用漏洞欺骗一个登录的用户打开一个链接，在受影响网站的上下文浏览器中执行任意的HTML和脚本代码。

Severity: 中

Patch Name: SupportCenter Plus存在多个跨站脚本漏洞的补丁

Patch Description:

SupportCenter Plus是一个基于web的客户支持软件。

Formal description:

SupportCenter Plus build 7941 已修复此漏洞，建议用户下载使用： https://forums.manageengine.com/topic/security-update-for-supportcenter-plus

Reference: https://www.htbridge.com/advisory/HTB23247

Impacted products

Name
Zoho Corporation Pvt. Ltd. SupportCenter Plus <= 7.9

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "72349"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-0866"
    }
  },
  "description": "SupportCenter Plus\u662f\u4e00\u4e2a\u57fa\u4e8eweb\u7684\u5ba2\u6237\u652f\u6301\u8f6f\u4ef6\u3002\r\n\r\nSupportCenter Plus\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u7531\u4e8e\u901a\u8fc7\"fromCustomer\" HTTP GET\u53c2\u6570\u4f20\u9012\u5230\"/HomePage.do\"\u811a\u672c,\"username\"\u548c\"password\" HTTP POST\u53c2\u6570\u4f20\u9012\u5230\"/HomePage.do\"\u811a\u672c\u7684\u8f93\u5165\u5728\u88ab\u8fd4\u56de\u7ed9\u7528\u6237\u4e4b\u524d\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6b3a\u9a97\u4e00\u4e2a\u767b\u5f55\u7684\u7528\u6237\u6253\u5f00\u4e00\u4e2a\u94fe\u63a5\uff0c\u5728\u53d7\u5f71\u54cd\u7f51\u7ad9\u7684\u4e0a\u4e0b\u6587\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684HTML\u548c\u811a\u672c\u4ee3\u7801\u3002",
  "discovererName": "High-Tech Bridge Security Research Lab",
  "formalWay": "SupportCenter Plus build 7941 \u5df2\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttps://forums.manageengine.com/topic/security-update-for-supportcenter-plus",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-00838",
  "openTime": "2015-01-30",
  "patchDescription": "SupportCenter Plus\u662f\u4e00\u4e2a\u57fa\u4e8eweb\u7684\u5ba2\u6237\u652f\u6301\u8f6f\u4ef6\u3002 \r\n\r\nSupportCenter Plus\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u7531\u4e8e\u901a\u8fc7\"fromCustomer\" HTTP GET\u53c2\u6570\u4f20\u9012\u5230\"/HomePage.do\"\u811a\u672c,\"username\"\u548c\"password\" HTTP POST\u53c2\u6570\u4f20\u9012\u5230\"/HomePage.do\"\u811a\u672c\u7684\u8f93\u5165\u5728\u88ab\u8fd4\u56de\u7ed9\u7528\u6237\u4e4b\u524d\u672a\u80fd\u6b63\u786e\u8fc7\u6ee4\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u6b3a\u9a97\u4e00\u4e2a\u767b\u5f55\u7684\u7528\u6237\u6253\u5f00\u4e00\u4e2a\u94fe\u63a5\uff0c\u5728\u53d7\u5f71\u54cd\u7f51\u7ad9\u7684\u4e0a\u4e0b\u6587\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u4efb\u610f\u7684HTML\u548c\u811a\u672c\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SupportCenter Plus\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Zoho Corporation Pvt. Ltd. SupportCenter Plus \u003c= 7.9"
  },
  "referenceLink": "https://www.htbridge.com/advisory/HTB23247",
  "serverity": "\u4e2d",
  "submitTime": "2015-01-28",
  "title": "SupportCenter Plus\u5b58\u5728\u591a\u4e2a\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2015-0866 (GCVE-0-2015-0866)

Vulnerability from cvelistv5

Published

2015-02-02 15:00

Modified

2024-08-06 04:26

Severity ?

CWE

Summary

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.

References

▼	URL	Tags
	https://www.htbridge.com/advisory/HTB23247	x_refsource_MISC
	https://forums.manageengine.com/topic/security-update-for-supportcenter-plus	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/72349	vdb-entry, x_refsource_BID
	http://www.securityfocus.com/archive/1/534564/100/0/threaded	mailing-list, x_refsource_BUGTRAQ

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T04:26:11.166Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.htbridge.com/advisory/HTB23247"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"
          },
          {
            "name": "72349",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/72349"
          },
          {
            "name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-01-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.htbridge.com/advisory/HTB23247"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"
        },
        {
          "name": "72349",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/72349"
        },
        {
          "name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-0866",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.htbridge.com/advisory/HTB23247",
              "refsource": "MISC",
              "url": "https://www.htbridge.com/advisory/HTB23247"
            },
            {
              "name": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus",
              "refsource": "CONFIRM",
              "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"
            },
            {
              "name": "72349",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/72349"
            },
            {
              "name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-0866",
    "datePublished": "2015-02-02T15:00:00",
    "dateReserved": "2015-01-07T00:00:00",
    "dateUpdated": "2024-08-06T04:26:11.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted