cnvd - cnvd-2018-17621

cnvd-2018-17621

Vulnerability from cnvd

Title: 多款ZOHO产品跨站脚本漏洞

Description:

ZOHO ManageEngine Netflow Analyzer等都是美国卓豪（ZOHO）公司的产品。ZOHO ManageEngine Netflow Analyzer是一套基于Web的带宽监控工具。Network Configuration Manager是一套用于配置交换机、路由器、防火墙和其他网络设备的网络配置管理、网络变更和配置管理（NCCM）软件。

多款ZOHO产品中存在跨站脚本漏洞。远程攻击者可通过向/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet URL发送‘operation’参数利用该漏洞注入任意的Web脚本或HTML。

Severity: 中

Patch Name: 多款ZOHO产品跨站脚本漏洞的补丁

Patch Description:

多款ZOHO产品中存在跨站脚本漏洞。远程攻击者可通过向/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet URL发送‘operation’参数利用该漏洞注入任意的Web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.manageengine.com/

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-12998

Impacted products

Name
['ZOHO ManageEngine Netflow Analyzer <build 123137', 'ZOHO ManageEngine Network Configuration Manager <build 123128', 'ZOHO ManageEngine OpManager <build 123148', 'ZOHO ManageEngine OpUtils <build 123161']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-12998",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12998"
    }
  },
  "description": "ZOHO ManageEngine Netflow Analyzer\u7b49\u90fd\u662f\u7f8e\u56fd\u5353\u8c6a\uff08ZOHO\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002ZOHO ManageEngine Netflow Analyzer\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7684\u5e26\u5bbd\u76d1\u63a7\u5de5\u5177\u3002Network Configuration Manager\u662f\u4e00\u5957\u7528\u4e8e\u914d\u7f6e\u4ea4\u6362\u673a\u3001\u8def\u7531\u5668\u3001\u9632\u706b\u5899\u548c\u5176\u4ed6\u7f51\u7edc\u8bbe\u5907\u7684\u7f51\u7edc\u914d\u7f6e\u7ba1\u7406\u3001\u7f51\u7edc\u53d8\u66f4\u548c\u914d\u7f6e\u7ba1\u7406\uff08NCCM\uff09\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u6b3eZOHO\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet URL\u53d1\u9001\u2018operation\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684Web\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Xiaotian Wang",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.manageengine.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-17621",
  "openTime": "2018-09-05",
  "patchDescription": "ZOHO ManageEngine Netflow Analyzer\u7b49\u90fd\u662f\u7f8e\u56fd\u5353\u8c6a\uff08ZOHO\uff09\u516c\u53f8\u7684\u4ea7\u54c1\u3002ZOHO ManageEngine Netflow Analyzer\u662f\u4e00\u5957\u57fa\u4e8eWeb\u7684\u5e26\u5bbd\u76d1\u63a7\u5de5\u5177\u3002Network Configuration Manager\u662f\u4e00\u5957\u7528\u4e8e\u914d\u7f6e\u4ea4\u6362\u673a\u3001\u8def\u7531\u5668\u3001\u9632\u706b\u5899\u548c\u5176\u4ed6\u7f51\u7edc\u8bbe\u5907\u7684\u7f51\u7edc\u914d\u7f6e\u7ba1\u7406\u3001\u7f51\u7edc\u53d8\u66f4\u548c\u914d\u7f6e\u7ba1\u7406\uff08NCCM\uff09\u8f6f\u4ef6\u3002\r\n\r\n\u591a\u6b3eZOHO\u4ea7\u54c1\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u5411/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet URL\u53d1\u9001\u2018operation\u2019\u53c2\u6570\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684Web\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "\u591a\u6b3eZOHO\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "ZOHO ManageEngine Netflow Analyzer \u003cbuild 123137",
      "ZOHO ManageEngine Network Configuration Manager \u003cbuild 123128",
      "ZOHO ManageEngine OpManager \u003cbuild 123148",
      "ZOHO ManageEngine OpUtils \u003cbuild 123161"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-12998",
  "serverity": "\u4e2d",
  "submitTime": "2018-07-03",
  "title": "\u591a\u6b3eZOHO\u4ea7\u54c1\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2018-12998 (GCVE-0-2018-12998)

Vulnerability from cvelistv5

Published

2018-06-29 12:00

Modified

2024-08-05 08:52

Severity ?

CWE

Summary

A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

References

▼	URL	Tags
	http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html	x_refsource_MISC
	https://github.com/unh3x/just4cve/issues/10	x_refsource_MISC
	http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036	x_refsource_MISC
	http://seclists.org/fulldisclosure/2018/Jul/75	mailing-list, x_refsource_FULLDISC

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:52:49.220Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/unh3x/just4cve/issues/10"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036"
          },
          {
            "name": "20180720 [CVE-2018-12998]Zoho manageengine Reflected XSS in multiple Products",
            "tags": [
              "mailing-list",
              "x_refsource_FULLDISC",
              "x_transferred"
            ],
            "url": "http://seclists.org/fulldisclosure/2018/Jul/75"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-06-29T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter \u0027operation\u0027 to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-07-24T13:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/unh3x/just4cve/issues/10"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036"
        },
        {
          "name": "20180720 [CVE-2018-12998]Zoho manageengine Reflected XSS in multiple Products",
          "tags": [
            "mailing-list",
            "x_refsource_FULLDISC"
          ],
          "url": "http://seclists.org/fulldisclosure/2018/Jul/75"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-12998",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A reflected Cross-site scripting (XSS) vulnerability in Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 allows remote attackers to inject arbitrary web script or HTML via the parameter \u0027operation\u0027 to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html"
            },
            {
              "name": "https://github.com/unh3x/just4cve/issues/10",
              "refsource": "MISC",
              "url": "https://github.com/unh3x/just4cve/issues/10"
            },
            {
              "name": "http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036",
              "refsource": "MISC",
              "url": "http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201807-036"
            },
            {
              "name": "20180720 [CVE-2018-12998]Zoho manageengine Reflected XSS in multiple Products",
              "refsource": "FULLDISC",
              "url": "http://seclists.org/fulldisclosure/2018/Jul/75"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-12998",
    "datePublished": "2018-06-29T12:00:00",
    "dateReserved": "2018-06-29T00:00:00",
    "dateUpdated": "2024-08-05T08:52:49.220Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted