cvelistv5 - cve-2010-3274

cve-2010-3274

Vulnerability from cvelistv5

Published

2011-02-17 17:00

Modified

2024-08-07 03:03

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/43241	Vendor Advisory
cve@mitre.org	http://securityreason.com/securityalert/8089
cve@mitre.org	http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities	Exploit
cve@mitre.org	http://www.osvdb.org/70871	Exploit
cve@mitre.org	http://www.osvdb.org/70872	Exploit
cve@mitre.org	http://www.securityfocus.com/archive/1/516396/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/46331	Exploit
cve@mitre.org	http://www.vupen.com/english/advisories/2011/0392	Vendor Advisory
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/65349
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/43241	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/8089
af854a3a-2127-422b-91ae-364da2661108	http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/70871	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/70872	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/516396/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/46331	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2011/0392	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/65349

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-07T03:03:18.637Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "43241",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SECUNIA",
                     "x_transferred",
                  ],
                  url: "http://secunia.com/advisories/43241",
               },
               {
                  name: "70872",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/70872",
               },
               {
                  name: "ADV-2011-0392",
                  tags: [
                     "vdb-entry",
                     "x_refsource_VUPEN",
                     "x_transferred",
                  ],
                  url: "http://www.vupen.com/english/advisories/2011/0392",
               },
               {
                  name: "20110210 CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities",
                  tags: [
                     "mailing-list",
                     "x_refsource_BUGTRAQ",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
               },
               {
                  name: "8089",
                  tags: [
                     "third-party-advisory",
                     "x_refsource_SREASON",
                     "x_transferred",
                  ],
                  url: "http://securityreason.com/securityalert/8089",
               },
               {
                  name: "adselfservice-employeesearch-xss(65349)",
                  tags: [
                     "vdb-entry",
                     "x_refsource_XF",
                     "x_transferred",
                  ],
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
               },
               {
                  name: "70871",
                  tags: [
                     "vdb-entry",
                     "x_refsource_OSVDB",
                     "x_transferred",
                  ],
                  url: "http://www.osvdb.org/70871",
               },
               {
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
               },
               {
                  name: "46331",
                  tags: [
                     "vdb-entry",
                     "x_refsource_BID",
                     "x_transferred",
                  ],
                  url: "http://www.securityfocus.com/bid/46331",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "n/a",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "n/a",
                  },
               ],
            },
         ],
         datePublic: "2011-02-10T00:00:00",
         descriptions: [
            {
               lang: "en",
               value: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     description: "n/a",
                     lang: "en",
                     type: "text",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2018-10-10T18:57:01",
            orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            shortName: "mitre",
         },
         references: [
            {
               name: "43241",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SECUNIA",
               ],
               url: "http://secunia.com/advisories/43241",
            },
            {
               name: "70872",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/70872",
            },
            {
               name: "ADV-2011-0392",
               tags: [
                  "vdb-entry",
                  "x_refsource_VUPEN",
               ],
               url: "http://www.vupen.com/english/advisories/2011/0392",
            },
            {
               name: "20110210 CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities",
               tags: [
                  "mailing-list",
                  "x_refsource_BUGTRAQ",
               ],
               url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
            },
            {
               name: "8089",
               tags: [
                  "third-party-advisory",
                  "x_refsource_SREASON",
               ],
               url: "http://securityreason.com/securityalert/8089",
            },
            {
               name: "adselfservice-employeesearch-xss(65349)",
               tags: [
                  "vdb-entry",
                  "x_refsource_XF",
               ],
               url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
            },
            {
               name: "70871",
               tags: [
                  "vdb-entry",
                  "x_refsource_OSVDB",
               ],
               url: "http://www.osvdb.org/70871",
            },
            {
               tags: [
                  "x_refsource_MISC",
               ],
               url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
            },
            {
               name: "46331",
               tags: [
                  "vdb-entry",
                  "x_refsource_BID",
               ],
               url: "http://www.securityfocus.com/bid/46331",
            },
         ],
         x_legacyV4Record: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2010-3274",
               STATE: "PUBLIC",
            },
            affects: {
               vendor: {
                  vendor_data: [
                     {
                        product: {
                           product_data: [
                              {
                                 product_name: "n/a",
                                 version: {
                                    version_data: [
                                       {
                                          version_value: "n/a",
                                       },
                                    ],
                                 },
                              },
                           ],
                        },
                        vendor_name: "n/a",
                     },
                  ],
               },
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "eng",
                     value: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "eng",
                           value: "n/a",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "43241",
                     refsource: "SECUNIA",
                     url: "http://secunia.com/advisories/43241",
                  },
                  {
                     name: "70872",
                     refsource: "OSVDB",
                     url: "http://www.osvdb.org/70872",
                  },
                  {
                     name: "ADV-2011-0392",
                     refsource: "VUPEN",
                     url: "http://www.vupen.com/english/advisories/2011/0392",
                  },
                  {
                     name: "20110210 CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities",
                     refsource: "BUGTRAQ",
                     url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
                  },
                  {
                     name: "8089",
                     refsource: "SREASON",
                     url: "http://securityreason.com/securityalert/8089",
                  },
                  {
                     name: "adselfservice-employeesearch-xss(65349)",
                     refsource: "XF",
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
                  },
                  {
                     name: "70871",
                     refsource: "OSVDB",
                     url: "http://www.osvdb.org/70871",
                  },
                  {
                     name: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
                     refsource: "MISC",
                     url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
                  },
                  {
                     name: "46331",
                     refsource: "BID",
                     url: "http://www.securityfocus.com/bid/46331",
                  },
               ],
            },
         },
      },
   },
   cveMetadata: {
      assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
      assignerShortName: "mitre",
      cveId: "CVE-2010-3274",
      datePublished: "2011-02-17T17:00:00",
      dateReserved: "2010-09-09T00:00:00",
      dateUpdated: "2024-08-07T03:03:18.637Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2010-3274\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2011-02-17T18:00:03.073\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.\"},{\"lang\":\"es\",\"value\":\"Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en EmployeeSearch.cc en el Employee Search Engine en ZOHO ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro searchString en la acción (1) showList o (2) Search.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.4\",\"matchCriteriaId\":\"40A75087-E063-4DDE-8C0A-296A2F3A29FD\"}]}]}],\"references\":[{\"url\":\"http://secunia.com/advisories/43241\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://securityreason.com/securityalert/8089\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.osvdb.org/70871\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.osvdb.org/70872\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.securityfocus.com/archive/1/516396/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/46331\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0392\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/65349\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/43241\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://securityreason.com/securityalert/8089\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.osvdb.org/70871\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.osvdb.org/70872\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.securityfocus.com/archive/1/516396/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/46331\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/0392\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/65349\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
   },
}

Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action. ManageEngine ADSelfService Plus is a secure, web-based end-user self-service password reset solution. The first problem exists in http://SERVER/EmployeeSearch.cc?actionId=showList, and the submission is similar to the following injection: http://SERVER/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28 %27xss%27%29&parameterName=name&searchType=contains will cause the following HTML to be submitted to the user: EqualsThe second question exists at http://SERVER/EmployeeSearch.cc?actionId =Search, this page receives the search parameters and then creates a form that is sent to http://SERVER/EmployeeSearch.cc?actionId=showList. During the creation process, the unfiltered input is reflected to the user as a javasript block as follows: var searchValue = 'alice'; alert('xss'); var a='a'; var paramName = 'name' ; var searchType = 'contains'; The above example can be generated by the following link: http://SERVER/EmployeeSearch.cc?actionId=Search&parameterName=name&searchType=contains&searchString=alice%22+onMouseOver %3D%22javascript%3Aalert%28%27xss%27%29. Attackers can exploit these issues to bypass certain security restrictions and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help them steal cookie-based authentication credentials and launch other attacks. ManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. Advisory Information

Title: ZOHO ManageEngine ADSelfService multiple vulnerabilities Advisory ID: CORE-2011-0103 Advisory URL: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities Date published: 2011-02-10 Date of last update: 2011-02-10 Vendors contacted: ZOHO Corporation Release mode: Coordinated release

Vulnerability Information

Class: Protection Mechanism Failure [CWE-693], Authentication Issues [CWE-287], Cross-Site Scripting (XSS) [CWE-79] Impact: Code execution, Security bypass Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274

This software helps domain users to perform self service password reset, self service account unlock and employee self update of personal details (e.g. telephone numbers, etc) in Microsoft Windows Active Directory. Administrators find it easy to automate password resets, account unlocks while managing optimizing the expenses associated with helpdesk calls.

The security question mechanism used for password recovery can be weakened by tampering the HTTP POST request containing the answers, allowing an attacker to pass the security check by guessing just one of the security answers. Additionally, the CAPTCHA mechanism can be bypassed in the same manner, enabling the automation of the guessing attempts.

The security question mechanism can also be bypassed by changing the flow of the application, skipping the security question mechanism and sending a HTTP request requiring the password change immediately after declaring which user is to run the recovery procedure.

ManageEngine ADSelfService Plus 4.4.
Non-vulnerable packages

. ManageEngine ADSelfService Plus 4.5 Build 4500 and above.

Vendor Information, Solutions and Workarounds

Core would like to thanks Manikandan.T [2] for giving us the following detailed information about the way Zoho team has addressed the security vulnerabilities highlighted in this document.

6.1. Solution to the Weak security question mechanism

[CVE-2010-3272] In addition to the Security Questions, the latest version of ADSelfService Plus also includes an SMS Verification / Email Verification mechanism. This adds an additional security while password. Users must confirm the code sent to their mobile phones / email when they are to reset password / unlock accounts.

The earlier Builds used URL based on Post Request which was considered vulnerable. This has been replaced by a more secure Tokenizer mechanism. This mechanism prevents "by-passing any process / steps involved in password reset / account unlock". The Tokenizer mechanism mandates the flow of addressing every process only in the defined sequence. This implies that the "Hide_Captcha / quesList" fields cannot be altered; if not, they do not follow the desired sequence.

6.2. Solution to the Security question bypass

[CVE-2010-3273] Earlier version of ADSelfService Plus checked the validation only at the page where the user was present. Now Each and Every step and also the previous steps are being validated. The "Tokenizer Method" ensures that no steps are bypassed. It also ensures that validation occurs at every level and also only in the sequence desired.

6.3. Solution to Cross site scripting vulnerabilities

[CVE-2010-3274] Security Filters are used to prevent Cross Site Scripting vulnerabilities. ADSelfService Plus now checks every input provided by a user at all the pages including "Password Reset / Unlock Account", Employee Search pages.

Credits

This vulnerability was discovered and researched by Ernesto Alvarez from Core Security Technologies. The publication of this advisory was coordinated by Fernando Miranda from Core Security Advisories team.

Technical Description / Proof of Concept Code

8.1. Weak security question mechanism

[CVE-2010-3272] The procedure to recover a lost password involves the user answering a series of security questions set during enrollment. After the recovery request and user ID have been sent, the system requires the user to answer a certain number of security questions, whose answers are then sent using a POST request, as seen below.

/----- POST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1

Host: SERVER User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://SERVER/accounts/ValidateUser Cookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085 Content-Type: application/x-www-form-urlencoded Content-Length: 294

loginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1

-----/ As seen in the HTTP POST above, the client has the ability to decide:

Whether he wants to complete a captcha or not, by altering the "Hide_Captcha" field.
How many security questions he has to answer, if he modifies the "quesList" parameter.

Therefore, an attacker can choose to answer just one security question of his choice, and this procedure can be automated, since the captcha can be bypassed. The reason for this weakness is that most of the recovery logic is left to the client to execute. This allows the client to alter the recovery procedure, weakening the process.

8.2. Security question bypass

[CVE-2010-3273] The security question mechanism can also be completely bypassed, allowing an attacker to reset an arbitrary user password. In order to bypass the mechanism, an attacker must first select the user whose password is to be changed, an operation which does not require authentication, and then skip the security question mechanism, issuing a HTTP request to the URL that accept password changes.

The normal recovery procedure in the ADSelfService Plus system consists of four steps:

Invoke the reset function. By going to '//SERVER/accounts/Reset', the user is prompted to enter his user id.
Input the user id that needs a password reset. By filling the form from step 1, the user id in sent to 'http://SERVER/accounts/ValidateUser' using a HTTP POST. During this step, the user id is associated with the HTTP session (as shown in the JSESSIONID cookie). The user is prompted with the security questions.
Validate the security questions. The answers are sent for validation to:

/----- http://SERVER/accounts/ValidateAnswers?methodToCall=validateAll -----/ If the answers are correct, a HTTP page with a form to input the new password is sent to the user. If the answers are wrong, the user is prompted again for the correct answers, and the step 3 must be redone. 4. Reset the password. The new password is sent in a HTTP POST to 'http://SERVER/accounts/ResetResult'. The server resets the password.

While some of the logic (mostly requiring changes to server data) is on the server side, the order of the steps to be performed can be controlled by the user. By performing steps 2 and 4 while skipping step 3, the user is able to change the password for another user of his choice. This flaw is due to the way the server acts on the information received. Step 2 associates a JSESSIONID to a user id (apparently necessary to perform step 3) while step 4 changes the password of whatever account is associated with the JSP session, setting it to the value posted. Since the server does not check whether step 3 has been completed, forging the appropriate HTTP POST requests necessary to perform the two steps mentioned is sufficient to change a user's password.

8.3. The first one involves the function used for listing matching usernames according to search criteria previously entered by the user, found in 'http://SERVER/EmployeeSearch.cc?actionId=showList'. The server reflects the contents of the 'searchString' field back to the user. This code can be easily viewed if captured on the wire using a proxy server, though.

Additionally, since invoking 'http://SERVER/EmployeeSearch.cc?actionId=Search' causes a redirection to 'http://SERVER/EmployeeSearch.cc?actionId=showList', entering any data capable of triggering a vulnerability in the latter page can be introduced in the former with the same results.

It is important to note that since the cross site scripting vulnerabilities were detected while investigating the authentication bypass issues and were considered a secondary matter, the pages containing them were not thoroughly tested. This leaves the possibility of other similar cross site scripting vulnerabilities remaining undetected.

Report Timeline

. 2011-01-11: Initial notification to the vendor. Publication date set to February 2nd, 2011. 2011-01-13: The Zoho team asks Core for a technical description of the vulnerability. 2011-01-13: Technical details sent to Zoho team by Core. 2011-01-17: The Zoho team acknowledges reception of advisory draft and asks a contact phone number to discuss these flaws. 2011-01-17: The Core team notifies its preference for keeping the whole communication process through email, in order to track all interactions, and involve all those interested in:

the Core Security Advisories Team,
the Zoho team and,
the discoverer of the vulnerability.

If there is something that cannot be resolved via email, Core team can eventually send a phone number to set up a conference call, but that is not necessary at the moment. 2011-01-20: The Zoho team notifies that the vulnerabilities highlighted in the document will be addressed in the upcoming release of ADSelfService Plus, scheduled to be released before Feb. 11th. 2011-01-21: Core notifies that the advisory was re-scheduled to Feb. 10th, and asks if any security bulleting is going to be released by Zoho team regarding these vulnerabilities. 2011-01-28: The Zoho team notifies that they are on schedule for the release of the new version of ADSelfService Plus. Zoho have plans to publish a report regarding these vulnerabilities, including solutions and workarounds. 2011-02-07: Core asks if Zoho team will be ready for disclosure next Thursday Feb 10th in order to coordinate the advisory publication. 2011-02-08: The Zoho team notifies that they are ready with the Engineering Release version ADSelfService Plus 4.5 Build 4500. This version of ADSelfService Plus has taken into consideration and also addressed all security vulnerabilities highlighted by this advisory. Zoho is going to make a public announcement by Tomorrow. 2011-02-10: The advisory CORE-2011-0103 is published.

References

[1] ADSelfService Plus http://www.manageengine.com/products/self-service-password. [2] Manikandan.T, Senior Program Manager, ManageEngine ADSelfService Plus.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com/.

About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. ----------------------------------------------------------------------

Get a tax break on purchases of Secunia Solutions!

If you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at: http://secunia.com/products/corporate/vim/section_179/

TITLE: ManageEngine ADSelfService Plus Cross-Site Scripting and Security Bypass

SECUNIA ADVISORY ID: SA43241

VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/43241/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=43241

RELEASE DATE: 2011-02-12

DISCUSS ADVISORY: http://secunia.com/advisories/43241/#comments

AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s)

http://secunia.com/advisories/43241/

ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS

https://ca.secunia.com/?page=viewadvisory&vuln_id=43241

ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING

http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/

DESCRIPTION: Core Security Technologies has reported multiple vulnerabilities in ManageEngine ADSelfService Plus, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions.

2) Input passed to the "searchString" parameter in EmployeeSearch.cc (when "actionId" is set to "showList" or "Search") is not properly sanitised before being returned to the user.

The vulnerabilities are reported in version 4.4.

SOLUTION: Reportedly fixed in version 4.5 Build 4500.

ORIGINAL ADVISORY: CORE-2011-0103: http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities

OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/

About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor

Show details on source website

JSON

To clipboard

{
   "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
      affected_products: {
         "@id": "https://www.variotdbs.pl/ref/affected_products",
      },
      configurations: {
         "@id": "https://www.variotdbs.pl/ref/configurations",
      },
      credits: {
         "@id": "https://www.variotdbs.pl/ref/credits",
      },
      cvss: {
         "@id": "https://www.variotdbs.pl/ref/cvss/",
      },
      description: {
         "@id": "https://www.variotdbs.pl/ref/description/",
      },
      exploit_availability: {
         "@id": "https://www.variotdbs.pl/ref/exploit_availability/",
      },
      external_ids: {
         "@id": "https://www.variotdbs.pl/ref/external_ids/",
      },
      iot: {
         "@id": "https://www.variotdbs.pl/ref/iot/",
      },
      iot_taxonomy: {
         "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/",
      },
      patch: {
         "@id": "https://www.variotdbs.pl/ref/patch/",
      },
      problemtype_data: {
         "@id": "https://www.variotdbs.pl/ref/problemtype_data/",
      },
      references: {
         "@id": "https://www.variotdbs.pl/ref/references/",
      },
      sources: {
         "@id": "https://www.variotdbs.pl/ref/sources/",
      },
      sources_release_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_release_date/",
      },
      sources_update_date: {
         "@id": "https://www.variotdbs.pl/ref/sources_update_date/",
      },
      threat_type: {
         "@id": "https://www.variotdbs.pl/ref/threat_type/",
      },
      title: {
         "@id": "https://www.variotdbs.pl/ref/title/",
      },
      type: {
         "@id": "https://www.variotdbs.pl/ref/type/",
      },
   },
   "@id": "https://www.variotdbs.pl/vuln/VAR-201102-0051",
   affected_products: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            model: "manageengine adselfservice plus",
            scope: "lte",
            trust: 1,
            vendor: "zohocorp",
            version: "4.4",
         },
         {
            model: "manageengine adselfservice plus",
            scope: "eq",
            trust: 0.9,
            vendor: "zoho",
            version: "4.4",
         },
         {
            model: "manageengine adselfservice plus",
            scope: "lt",
            trust: 0.8,
            vendor: "zoho",
            version: "4.5 build 4500",
         },
         {
            model: "manageengine adselfservice plus",
            scope: "eq",
            trust: 0.6,
            vendor: "zohocorp",
            version: "4.4",
         },
         {
            model: null,
            scope: "eq",
            trust: 0.4,
            vendor: "manageengine adselfservice plus",
            version: "*",
         },
         {
            model: "manageengine adselfservice plus build",
            scope: "ne",
            trust: 0.3,
            vendor: "zoho",
            version: "4.54500",
         },
      ],
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "BID",
            id: "46331",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   configurations: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/configurations#",
         children: {
            "@container": "@list",
         },
         cpe_match: {
            "@container": "@list",
         },
         data: {
            "@container": "@list",
         },
         nodes: {
            "@container": "@list",
         },
      },
      data: [
         {
            CVE_data_version: "4.0",
            nodes: [
               {
                  cpe_match: [
                     {
                        cpe22Uri: "cpe:/a:zohocorp:manageengine_adselfservice_plus",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
      ],
   },
   credits: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/credits#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Ernesto Álvarez from Core Security Technologies",
      sources: [
         {
            db: "BID",
            id: "46331",
         },
      ],
      trust: 0.3,
   },
   cve: "CVE-2010-3274",
   cvss: {
      "@context": {
         cvssV2: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2",
         },
         cvssV3: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/",
         },
         severity: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/cvss/severity#",
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
            "@id": "https://www.variotdbs.pl/ref/sources",
         },
      },
      data: [
         {
            cvssV2: [
               {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "nvd@nist.gov",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 8.6,
                  id: "CVE-2010-3274",
                  impactScore: 2.9,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 1.8,
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "IVD",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 8.6,
                  id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
                  impactScore: 2.9,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 0.2,
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.9 [IVD]",
               },
               {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  author: "IVD",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  exploitabilityScore: 8.6,
                  id: "4677780a-2355-11e6-abef-000c29c66e3d",
                  impactScore: 2.9,
                  integrityImpact: "PARTIAL",
                  severity: "MEDIUM",
                  trust: 0.2,
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.9 [IVD]",
               },
            ],
            cvssV3: [],
            severity: [
               {
                  author: "nvd@nist.gov",
                  id: "CVE-2010-3274",
                  trust: 1,
                  value: "MEDIUM",
               },
               {
                  author: "NVD",
                  id: "CVE-2010-3274",
                  trust: 0.8,
                  value: "Medium",
               },
               {
                  author: "CNNVD",
                  id: "CNNVD-201102-265",
                  trust: 0.6,
                  value: "MEDIUM",
               },
               {
                  author: "IVD",
                  id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
                  trust: 0.2,
                  value: "MEDIUM",
               },
               {
                  author: "IVD",
                  id: "4677780a-2355-11e6-abef-000c29c66e3d",
                  trust: 0.2,
                  value: "MEDIUM",
               },
            ],
         },
      ],
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   description: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/description#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action. ManageEngine ADSelfService Plus is a secure, web-based end-user self-service password reset solution. The first problem exists in http://SERVER/EmployeeSearch.cc?actionId=showList, and the submission is similar to the following injection: http://SERVER/EmployeeSearch.cc?actionId=showList&searchString=alice%22%20onmouseover=%22alert%28 %27xss%27%29&parameterName=name&searchType=contains will cause the following HTML to be submitted to the user: <option value=\\\"equals\\\" > Equals</option></select><input type=\\\"text\\\" name=\\\"searchString\\\" id =\\\"searchTextField\\\" class=\\\"textfield\\\" value=\\\"alice\\\" onmouseover=\\\"alert('xss')\\\" onkeypress=\\\"javascript:return searchOnKeyPressEvent(event)\\\"><input type=\\\"button\\\" name=\\\"search\\\" id= \\\"search\\\" class=\\\"button\\\" value=\\\"&nbsp;Go&nbsp;\\\" onclick=\\\"javascript:searchAD()\\\"></td><tr>The second question exists at http://SERVER/EmployeeSearch.cc?actionId =Search, this page receives the search parameters and then creates a form that is sent to http://SERVER/EmployeeSearch.cc?actionId=showList. During the creation process, the unfiltered input is reflected to the user as a javasript block as follows: <script> var searchValue = 'alice'; alert('xss'); var a='a'; var paramName = 'name' ; var searchType = 'contains';</script> The above example can be generated by the following link: http://SERVER/EmployeeSearch.cc?actionId=Search&amp;parameterName=name&amp;searchType=contains&amp;searchString=alice%22+onMouseOver %3D%22javascript%3Aalert%28%27xss%27%29. \nAttackers can exploit these issues to bypass certain security  restrictions and to execute arbitrary script code in the browser of an  unsuspecting user in the context of the affected site. This may help  them steal cookie-based  authentication credentials and launch other  attacks. \nManageEngine ADSelfService Plus 4.4 is vulnerable; other versions may also be affected. *Advisory Information*\n\nTitle: ZOHO ManageEngine ADSelfService multiple vulnerabilities\nAdvisory ID: CORE-2011-0103\nAdvisory URL:\nhttp://www.coresecurity.com/content/zoho-manageengine-vulnerabilities\nDate published: 2011-02-10\nDate of last update: 2011-02-10\nVendors contacted: ZOHO Corporation\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Protection Mechanism Failure [CWE-693], Authentication Issues\n[CWE-287], Cross-Site Scripting (XSS) [CWE-79]\nImpact: Code execution, Security bypass\nRemotely Exploitable: Yes\nLocally Exploitable: No\nCVE Name: CVE-2010-3272, CVE-2010-3273, CVE-2010-3274\n\n\n3. This software helps domain users to\nperform self service password reset, self service account unlock and\nemployee self update of personal details (e.g. telephone numbers, etc)\nin Microsoft Windows Active Directory. Administrators find it easy to\nautomate password resets, account unlocks while managing optimizing the\nexpenses associated with helpdesk calls. \n\nThe security question mechanism used for password recovery can be\nweakened by tampering the HTTP POST request containing the answers,\nallowing an attacker to pass the security check by guessing just one of\nthe security answers. Additionally, the CAPTCHA mechanism can be\nbypassed in the same manner, enabling the automation of the guessing\nattempts. \n\nThe security question mechanism can also be bypassed by changing the\nflow of the application, skipping the security question mechanism and\nsending a HTTP request requiring the password change immediately after\ndeclaring which user is to run the recovery procedure. \n\n\n4. ManageEngine ADSelfService Plus 4.4. \n\n\n5. *Non-vulnerable packages*\n\n   . ManageEngine ADSelfService Plus 4.5 Build 4500 and above. \n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nCore would like to thanks Manikandan.T [2] for giving us the following\ndetailed information about the way Zoho team has addressed the security\nvulnerabilities highlighted in this document. \n\n\n6.1. *Solution to the Weak security question mechanism*\n\n[CVE-2010-3272] In addition to the Security Questions, the latest\nversion of ADSelfService Plus also includes an SMS Verification / Email\nVerification mechanism. This adds an additional security while password. \nUsers must confirm the code sent to their mobile phones / email when\nthey are to reset password / unlock accounts. \n\nThe earlier Builds used URL based on Post Request which was considered\nvulnerable. This has been replaced by a more secure Tokenizer mechanism. \nThis mechanism prevents \"by-passing any process / steps involved in\npassword reset / account unlock\". The Tokenizer mechanism mandates the\nflow of addressing every process only in the defined sequence. This\nimplies that the \"Hide_Captcha / quesList\" fields cannot be altered; if\nnot, they do not follow the desired sequence. \n\n\n6.2. *Solution to the Security question bypass*\n\n[CVE-2010-3273] Earlier version of ADSelfService Plus checked the\nvalidation only at the page where the user was present. Now Each and\nEvery step and also the previous steps are being validated. The\n\"Tokenizer Method\" ensures that no steps are bypassed. It also ensures\nthat validation occurs at every level and also only in the sequence\ndesired. \n\n\n6.3. *Solution to Cross site scripting vulnerabilities*\n\n[CVE-2010-3274] Security Filters are used to prevent Cross Site\nScripting vulnerabilities. ADSelfService Plus now checks every input\nprovided by a user at all the pages including \"Password Reset / Unlock\nAccount\", Employee Search pages. \n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Ernesto Alvarez from\nCore Security Technologies. The publication of this advisory was\ncoordinated by Fernando Miranda from Core Security Advisories team. \n\n\n8. *Technical Description / Proof of Concept Code*\n\n8.1. *Weak security question mechanism*\n\n[CVE-2010-3272] The procedure to recover a lost password involves the\nuser answering a series of security questions set during enrollment. \nAfter the recovery request and user ID have been sent, the system\nrequires the user to answer a certain number of security questions,\nwhose answers are then sent using a POST request, as seen below. \n\n/-----\nPOST /accounts/ValidateAnswers?methodToCall=validateAll HTTP/1.1\n\nHost: SERVER\nUser-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.13)\nGecko/20101206 Ubuntu/10.10 (maverick) Firefox/3.6.13\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-us,en;q=0.5\nAccept-Encoding: gzip,deflate\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\nKeep-Alive: 115\nProxy-Connection: keep-alive\nReferer: http://SERVER/accounts/ValidateUser\nCookie: JSESSIONID=8F93EB242EF06C51BE93EB0CEDA69085\nContent-Type: application/x-www-form-urlencoded\nContent-Length: 294\n\nloginId=1501&Hide_Captcha=0&POLICY_ID=1&Confirm_Answer=1&SESSION_EXPIRY_TIME=5&LOGIN_NAME=alice&REM_SESSION_TIME=00%3A40&bAns=11111&bQues=PreDefined-2&bAns=22222&bQues=PreDefined-3&bAns=33333&bQues=PreDefined-4&bAns=44444&bQues=PreDefined-5&quesList=4&DIGEST=qodpgd&next=Continue&DIS_ALL_QUES=1\n\n-----/\n As seen in the HTTP POST above, the client has the ability to decide:\n\n   1. Whether he wants to complete a captcha or not, by altering the\n\"Hide_Captcha\" field. \n   2. How many security questions he has to answer, if he modifies the\n\"quesList\" parameter. \n\n Therefore, an attacker can choose to answer just one security question\nof his choice, and this procedure can be automated, since the captcha\ncan be bypassed. The reason for this weakness is that most of the\nrecovery logic is left to the client to execute. This allows the client\nto alter the recovery procedure, weakening the process. \n\n\n8.2. *Security question bypass*\n\n[CVE-2010-3273] The security question mechanism can also be completely\nbypassed, allowing an attacker to reset an arbitrary user password. In\norder to bypass the mechanism, an attacker must first select the user\nwhose password is to be changed, an operation which does not require\nauthentication, and then skip the security question mechanism, issuing a\nHTTP request to the URL that accept password changes. \n\nThe normal recovery procedure in the ADSelfService Plus system consists\nof four steps:\n\n   1. *Invoke  the reset function.* By going to\n'//SERVER/accounts/Reset', the user is prompted to enter his user id. \n   2. *Input the user id that needs a password reset.* By filling the\nform from step 1, the user id in sent to\n'http://SERVER/accounts/ValidateUser' using a HTTP POST. During this\nstep, the user id is associated with the HTTP session (as shown in the\nJSESSIONID cookie). The user is prompted with the security questions. \n   3. *Validate the security questions.* The answers are sent for\nvalidation to:\n\n/-----\nhttp://SERVER/accounts/ValidateAnswers?methodToCall=validateAll\n-----/\n If the answers are correct, a HTTP page with a form to input the new\npassword is sent to the user. If the answers are wrong, the user is\nprompted again for the correct answers, and the step 3 must be redone. \n   4. *Reset the password.* The new password is sent in a HTTP POST to\n'http://SERVER/accounts/ResetResult'. The server resets the password. \n\n While some of the logic (mostly requiring changes to server data) is on\nthe server side, the order of the steps to be performed can be\ncontrolled by the user. By performing steps 2 and 4 while skipping step\n3, the user is able to change the password for another user of his\nchoice. This flaw is due to the way the server acts on the information\nreceived. Step 2 associates a JSESSIONID to a user id (apparently\nnecessary to perform step 3) while step 4 changes the password of\nwhatever account is associated with the JSP session, setting it to the\nvalue posted. Since the server does not check whether step 3 has been\ncompleted, forging the appropriate HTTP POST requests necessary to\nperform the two steps mentioned is sufficient to change a user's password. \n\n\n8.3. The first one involves the function used\nfor listing matching usernames according to search criteria previously\nentered by the user, found in\n'http://SERVER/EmployeeSearch.cc?actionId=showList'. The server reflects\nthe contents of the 'searchString' field back to the user. This code can\nbe easily viewed if captured on the wire using a proxy server, though. \n\nAdditionally, since invoking\n'http://SERVER/EmployeeSearch.cc?actionId=Search' causes a redirection\nto 'http://SERVER/EmployeeSearch.cc?actionId=showList', entering any\ndata capable of triggering a vulnerability in the latter page can be\nintroduced in the former with the same results. \n\nIt is important to note that since the cross site scripting\nvulnerabilities were detected while investigating the authentication\nbypass issues and were considered a secondary matter, the pages\ncontaining them were not thoroughly tested. This leaves the possibility\nof other similar cross site scripting vulnerabilities remaining undetected. \n\n\n9. *Report Timeline*\n\n. 2011-01-11:\nInitial notification to the vendor. Publication date set to February\n2nd, 2011. 2011-01-13:\nThe Zoho team asks Core for a technical description of the vulnerability. 2011-01-13:\nTechnical details sent to Zoho team by Core. 2011-01-17:\nThe Zoho team acknowledges reception of advisory draft and asks a\ncontact phone number to discuss these flaws. 2011-01-17:\nThe Core team notifies its preference for keeping the whole\ncommunication process through email, in order to track all interactions,\nand involve all those interested in:\n\n   1. the Core Security Advisories Team,\n   2. the Zoho team and,\n   3. the discoverer of the vulnerability. \n\n If there is something that cannot be resolved via email, Core team can\neventually send a phone number to set up a conference call, but that is\nnot necessary at the moment. 2011-01-20:\nThe Zoho team notifies that the vulnerabilities highlighted in the\ndocument will be addressed in the upcoming release of ADSelfService\nPlus, scheduled to be released before Feb. 11th. 2011-01-21:\nCore notifies that the advisory was re-scheduled to Feb. 10th, and asks\nif any security bulleting is going to be released by Zoho team regarding\nthese vulnerabilities. 2011-01-28:\nThe Zoho team notifies that they are on schedule for the release of the\nnew version of ADSelfService Plus. Zoho have plans to publish a report\nregarding these vulnerabilities, including solutions and workarounds. 2011-02-07:\nCore asks if Zoho team will be ready for disclosure next Thursday Feb\n10th in order to coordinate the advisory publication. 2011-02-08:\nThe Zoho team notifies that they are ready with the Engineering Release\nversion ADSelfService Plus 4.5 Build 4500. This version of ADSelfService\nPlus has taken into consideration and also addressed all security\nvulnerabilities highlighted by this advisory. Zoho is going to make a\npublic announcement by Tomorrow. 2011-02-10:\nThe advisory CORE-2011-0103 is published. \n\n\n10. *References*\n\n[1] ADSelfService Plus\nhttp://www.manageengine.com/products/self-service-password. \n[2] Manikandan.T, Senior Program Manager, ManageEngine ADSelfService Plus. \n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://corelabs.coresecurity.com/. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies enables organizations to get ahead of threats\nwith security test and measurement solutions that continuously identify\nand prove real-world exposures to their most critical assets. Our\ncustomers can gain real visibility into their security standing, real\nvalidation of their security controls, and real metrics to more\neffectively secure their organizations. \n\nCore Security's software solutions build on over a decade of trusted\nresearch and leading-edge threat expertise from the company's Security\nConsulting Services, CoreLabs and Engineering groups. Core Security\nTechnologies can be reached at +1 (617) 399-6980 or on the Web at:\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2011 Core Security\nTechnologies and (c) 2011 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. ----------------------------------------------------------------------\n\n\nGet a tax break on purchases of Secunia Solutions!\n\nIf you are a U.S. company, you may be qualified for a tax break for your software purchases. Learn more at:\nhttp://secunia.com/products/corporate/vim/section_179/\n\n\n----------------------------------------------------------------------\n\nTITLE:\nManageEngine ADSelfService Plus Cross-Site Scripting and Security\nBypass\n\nSECUNIA ADVISORY ID:\nSA43241\n\nVERIFY ADVISORY:\nSecunia.com\nhttp://secunia.com/advisories/43241/\nCustomer Area (Credentials Required)\nhttps://ca.secunia.com/?page=viewadvisory&vuln_id=43241\n\nRELEASE DATE:\n2011-02-12\n\nDISCUSS ADVISORY:\nhttp://secunia.com/advisories/43241/#comments\n\nAVAILABLE ON SITE AND IN CUSTOMER AREA:\n * Last Update\n * Popularity\n * Comments\n * Criticality Level\n * Impact\n * Where\n * Solution Status\n * Operating System / Software\n * CVE Reference(s)\n\nhttp://secunia.com/advisories/43241/\n\nONLY AVAILABLE IN CUSTOMER AREA:\n * Authentication Level\n * Report Reliability\n * Secunia PoC\n * Secunia Analysis\n * Systems Affected\n * Approve Distribution\n * Remediation Status\n * Secunia CVSS Score\n * CVSS\n\nhttps://ca.secunia.com/?page=viewadvisory&vuln_id=43241\n\nONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI:\n * AUTOMATED SCANNING\n\nhttp://secunia.com/vulnerability_scanning/personal/\nhttp://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/\n\nDESCRIPTION:\nCore Security Technologies has reported multiple vulnerabilities in\nManageEngine ADSelfService Plus, which can be exploited by malicious\npeople to conduct cross-site scripting attacks and bypass certain\nsecurity restrictions. \n\n2) Input passed to the \"searchString\" parameter in EmployeeSearch.cc\n(when \"actionId\" is set to \"showList\" or \"Search\") is not properly\nsanitised before being returned to the user. \n\nThe vulnerabilities are reported in version 4.4. \n\nSOLUTION:\nReportedly fixed in version 4.5 Build 4500. \n\nORIGINAL ADVISORY:\nCORE-2011-0103:\nhttp://www.coresecurity.com/content/zoho-manageengine-vulnerabilities\n\nOTHER REFERENCES:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nDEEP LINKS:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED DESCRIPTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXTENDED SOLUTION:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\nEXPLOIT:\nFurther details available in Customer Area:\nhttp://secunia.com/products/corporate/EVM/\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\nprivate users keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor",
      sources: [
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "BID",
            id: "46331",
         },
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            db: "PACKETSTORM",
            id: "98429",
         },
      ],
      trust: 2.97,
   },
   external_ids: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            db: "NVD",
            id: "CVE-2010-3274",
            trust: 3.8,
         },
         {
            db: "BID",
            id: "46331",
            trust: 1.9,
         },
         {
            db: "SECUNIA",
            id: "43241",
            trust: 1.7,
         },
         {
            db: "OSVDB",
            id: "70872",
            trust: 1.6,
         },
         {
            db: "OSVDB",
            id: "70871",
            trust: 1.6,
         },
         {
            db: "VUPEN",
            id: "ADV-2011-0392",
            trust: 1.6,
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
            trust: 1,
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
            trust: 1,
         },
         {
            db: "SREASON",
            id: "8089",
            trust: 1,
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
            trust: 0.8,
         },
         {
            db: "XF",
            id: "65349",
            trust: 0.6,
         },
         {
            db: "BUGTRAQ",
            id: "20110210 CORE-2011-0103 - ZOHO MANAGEENGINE ADSELFSERVICE MULTIPLE VULNERABILITIES",
            trust: 0.6,
         },
         {
            db: "IVD",
            id: "7D7A93E3-463F-11E9-9A1C-000C29342CB1",
            trust: 0.2,
         },
         {
            db: "IVD",
            id: "4677780A-2355-11E6-ABEF-000C29C66E3D",
            trust: 0.2,
         },
         {
            db: "PACKETSTORM",
            id: "98397",
            trust: 0.1,
         },
         {
            db: "PACKETSTORM",
            id: "98429",
            trust: 0.1,
         },
      ],
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "BID",
            id: "46331",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            db: "PACKETSTORM",
            id: "98429",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   id: "VAR-201102-0051",
   iot: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: true,
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
      ],
      trust: 0.1,
   },
   iot_taxonomy: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            category: [
               "ICS",
            ],
            sub_category: null,
            trust: 1,
         },
      ],
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
      ],
   },
   last_update_date: "2024-11-23T22:23:32.331000Z",
   patch: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/patch#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            title: "ADSelfService Plus",
            trust: 0.8,
            url: "http://www.manageengine.com/products/self-service-password/index.html",
         },
         {
            title: "Patch for ManageEngine ADSelfService Plus Cross-Site Scripting Vulnerability",
            trust: 0.6,
            url: "https://www.cnvd.org.cn/patchInfo/show/2871",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
      ],
   },
   problemtype_data: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            problemtype: "CWE-79",
            trust: 1.8,
         },
      ],
      sources: [
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   references: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/references#",
         data: {
            "@container": "@list",
         },
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: [
         {
            trust: 2.7,
            url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
         },
         {
            trust: 1.6,
            url: "http://www.vupen.com/english/advisories/2011/0392",
         },
         {
            trust: 1.6,
            url: "http://www.securityfocus.com/bid/46331",
         },
         {
            trust: 1.6,
            url: "http://www.osvdb.org/70872",
         },
         {
            trust: 1.6,
            url: "http://www.osvdb.org/70871",
         },
         {
            trust: 1.6,
            url: "http://secunia.com/advisories/43241",
         },
         {
            trust: 1,
            url: "http://securityreason.com/securityalert/8089",
         },
         {
            trust: 1,
            url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
         },
         {
            trust: 1,
            url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
         },
         {
            trust: 0.8,
            url: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-3274",
         },
         {
            trust: 0.8,
            url: "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-3274",
         },
         {
            trust: 0.6,
            url: "http://xforce.iss.net/xforce/xfdb/65349",
         },
         {
            trust: 0.6,
            url: "http://www.securityfocus.com/archive/1/archive/1/516396/100/0/threaded",
         },
         {
            trust: 0.3,
            url: "http://www.manageengine.com/",
         },
         {
            trust: 0.3,
            url: "http://www.manageengine.com/products/self-service-password/index.html",
         },
         {
            trust: 0.1,
            url: "http://server/accounts/validateuser'",
         },
         {
            trust: 0.1,
            url: "http://corelabs.coresecurity.com/",
         },
         {
            trust: 0.1,
            url: "http://corelabs.coresecurity.com/.",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=showlist',",
         },
         {
            trust: 0.1,
            url: "http://www.coresecurity.com.",
         },
         {
            trust: 0.1,
            url: "http://server/accounts/resetresult'.",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2010-3273",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=showlist&searchstring=alice%22%20onmouseover=%22alert%28%27xss%27%29&parametername=name&searchtype=contains",
         },
         {
            trust: 0.1,
            url: "http://www.coresecurity.com/files/attachments/core_security_advisories.asc.",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2010-3272",
         },
         {
            trust: 0.1,
            url: "http://www.manageengine.com/products/self-service-password.",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=search'",
         },
         {
            trust: 0.1,
            url: "https://nvd.nist.gov/vuln/detail/cve-2010-3274",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=search'.",
         },
         {
            trust: 0.1,
            url: "http://server/accounts/validateanswers?methodtocall=validateall",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=showlist'.",
         },
         {
            trust: 0.1,
            url: "http://server/employeesearch.cc?actionid=search&amp;parametername=name&amp;searchtype=contains&amp;searchstring=alice%22+onmouseover%3d%22javascript%3aalert%28%27xss%27%29",
         },
         {
            trust: 0.1,
            url: "http://server/accounts/validateuser",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/products/corporate/evm/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/products/corporate/vim/section_179/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/advisories/secunia_security_advisories/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/advisories/43241/#comments",
         },
         {
            trust: 0.1,
            url: "https://ca.secunia.com/?page=viewadvisory&vuln_id=43241",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/vulnerability_scanning/personal/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/advisories/43241/",
         },
         {
            trust: 0.1,
            url: "http://secunia.com/advisories/about_secunia_advisories/",
         },
      ],
      sources: [
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "BID",
            id: "46331",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            db: "PACKETSTORM",
            id: "98429",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   sources: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            db: "BID",
            id: "46331",
         },
         {
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            db: "PACKETSTORM",
            id: "98429",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   sources_release_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-02-12T00:00:00",
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            date: "2011-02-12T00:00:00",
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            date: "2011-02-12T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            date: "2011-02-10T00:00:00",
            db: "BID",
            id: "46331",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            date: "2011-02-10T19:02:02",
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            date: "2011-02-11T04:22:16",
            db: "PACKETSTORM",
            id: "98429",
         },
         {
            date: "2011-02-18T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            date: "2011-02-17T18:00:03.073000",
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   sources_update_date: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
         data: {
            "@container": "@list",
         },
      },
      data: [
         {
            date: "2011-02-12T00:00:00",
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
         {
            date: "2011-02-10T00:00:00",
            db: "BID",
            id: "46331",
         },
         {
            date: "2012-03-27T00:00:00",
            db: "JVNDB",
            id: "JVNDB-2011-003868",
         },
         {
            date: "2011-02-18T00:00:00",
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
         {
            date: "2024-11-21T01:18:25",
            db: "NVD",
            id: "CVE-2010-3274",
         },
      ],
   },
   threat_type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "remote",
      sources: [
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
      ],
      trust: 0.6,
   },
   title: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/title#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "ManageEngine ADSelfService Plus Cross-Site Scripting Vulnerability",
      sources: [
         {
            db: "IVD",
            id: "7d7a93e3-463f-11e9-9a1c-000c29342cb1",
         },
         {
            db: "IVD",
            id: "4677780a-2355-11e6-abef-000c29c66e3d",
         },
         {
            db: "CNVD",
            id: "CNVD-2011-0527",
         },
      ],
      trust: 1,
   },
   type: {
      "@context": {
         "@vocab": "https://www.variotdbs.pl/ref/type#",
         sources: {
            "@container": "@list",
            "@context": {
               "@vocab": "https://www.variotdbs.pl/ref/sources#",
            },
         },
      },
      data: "xss",
      sources: [
         {
            db: "PACKETSTORM",
            id: "98397",
         },
         {
            db: "PACKETSTORM",
            id: "98429",
         },
         {
            db: "CNNVD",
            id: "CNNVD-201102-265",
         },
      ],
      trust: 0.8,
   },
}

ghsa-qh63-cgwm-3qjp

Vulnerability from github

Published

2022-05-14 02:43

Modified

2022-05-14 02:43

Details

Show details on source website

JSON

To clipboard

{
   affected: [],
   aliases: [
      "CVE-2010-3274",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-79",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2011-02-17T18:00:00Z",
      severity: "MODERATE",
   },
   details: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
   id: "GHSA-qh63-cgwm-3qjp",
   modified: "2022-05-14T02:43:18Z",
   published: "2022-05-14T02:43:18Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2010-3274",
      },
      {
         type: "WEB",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
      },
      {
         type: "WEB",
         url: "http://secunia.com/advisories/43241",
      },
      {
         type: "WEB",
         url: "http://securityreason.com/securityalert/8089",
      },
      {
         type: "WEB",
         url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
      },
      {
         type: "WEB",
         url: "http://www.osvdb.org/70871",
      },
      {
         type: "WEB",
         url: "http://www.osvdb.org/70872",
      },
      {
         type: "WEB",
         url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
      },
      {
         type: "WEB",
         url: "http://www.securityfocus.com/bid/46331",
      },
      {
         type: "WEB",
         url: "http://www.vupen.com/english/advisories/2011/0392",
      },
   ],
   schema_version: "1.4.0",
   severity: [],
}

fkie_cve-2010-3274

Vulnerability from fkie_nvd

Published

2011-02-17 18:00

Modified

2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://secunia.com/advisories/43241	Vendor Advisory
cve@mitre.org	http://securityreason.com/securityalert/8089
cve@mitre.org	http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities	Exploit
cve@mitre.org	http://www.osvdb.org/70871	Exploit
cve@mitre.org	http://www.osvdb.org/70872	Exploit
cve@mitre.org	http://www.securityfocus.com/archive/1/516396/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/46331	Exploit
cve@mitre.org	http://www.vupen.com/english/advisories/2011/0392	Vendor Advisory
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/65349
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/43241	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/8089
af854a3a-2127-422b-91ae-364da2661108	http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/70871	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/70872	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/516396/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/46331	Exploit
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2011/0392	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/65349

Impacted products

	Vendor	Product	Version
	zohocorp	manageengine_adselfservice_plus	*

JSON

To clipboard

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "40A75087-E063-4DDE-8C0A-296A2F3A29FD",
                     versionEndIncluding: "4.4",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
      },
      {
         lang: "es",
         value: "Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en EmployeeSearch.cc en el Employee Search Engine en ZOHO ManageEngine ADSelfService Plus anterior a v4.5 Build 4500 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro searchString en la acción (1) showList o (2) Search.",
      },
   ],
   id: "CVE-2010-3274",
   lastModified: "2025-04-11T00:51:21.963",
   metrics: {
      cvssMetricV2: [
         {
            acInsufInfo: false,
            baseSeverity: "MEDIUM",
            cvssData: {
               accessComplexity: "MEDIUM",
               accessVector: "NETWORK",
               authentication: "NONE",
               availabilityImpact: "NONE",
               baseScore: 4.3,
               confidentialityImpact: "NONE",
               integrityImpact: "PARTIAL",
               vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
               version: "2.0",
            },
            exploitabilityScore: 8.6,
            impactScore: 2.9,
            obtainAllPrivilege: false,
            obtainOtherPrivilege: false,
            obtainUserPrivilege: false,
            source: "nvd@nist.gov",
            type: "Primary",
            userInteractionRequired: true,
         },
      ],
   },
   published: "2011-02-17T18:00:03.073",
   references: [
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/43241",
      },
      {
         source: "cve@mitre.org",
         url: "http://securityreason.com/securityalert/8089",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
         ],
         url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
         ],
         url: "http://www.osvdb.org/70871",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
         ],
         url: "http://www.osvdb.org/70872",
      },
      {
         source: "cve@mitre.org",
         url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Exploit",
         ],
         url: "http://www.securityfocus.com/bid/46331",
      },
      {
         source: "cve@mitre.org",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://www.vupen.com/english/advisories/2011/0392",
      },
      {
         source: "cve@mitre.org",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://secunia.com/advisories/43241",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://securityreason.com/securityalert/8089",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
         ],
         url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
         ],
         url: "http://www.osvdb.org/70871",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
         ],
         url: "http://www.osvdb.org/70872",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Exploit",
         ],
         url: "http://www.securityfocus.com/bid/46331",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         tags: [
            "Vendor Advisory",
         ],
         url: "http://www.vupen.com/english/advisories/2011/0392",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
      },
   ],
   sourceIdentifier: "cve@mitre.org",
   vulnStatus: "Deferred",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-79",
            },
         ],
         source: "nvd@nist.gov",
         type: "Primary",
      },
   ],
}

gsd-2010-3274

Vulnerability from gsd

Modified

2023-12-13 01:21

Details

Aliases

CVE-2010-3274

Aliases

CVE-2010-3274

JSON

To clipboard

{
   GSD: {
      alias: "CVE-2010-3274",
      description: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
      id: "GSD-2010-3274",
      references: [
         "https://packetstormsecurity.com/files/cve/CVE-2010-3274",
      ],
   },
   gsd: {
      metadata: {
         exploitCode: "unknown",
         remediation: "unknown",
         reportConfidence: "confirmed",
         type: "vulnerability",
      },
      osvSchema: {
         aliases: [
            "CVE-2010-3274",
         ],
         details: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
         id: "GSD-2010-3274",
         modified: "2023-12-13T01:21:33.688939Z",
         schema_version: "1.4.0",
      },
   },
   namespaces: {
      "cve.org": {
         CVE_data_meta: {
            ASSIGNER: "cve@mitre.org",
            ID: "CVE-2010-3274",
            STATE: "PUBLIC",
         },
         affects: {
            vendor: {
               vendor_data: [
                  {
                     product: {
                        product_data: [
                           {
                              product_name: "n/a",
                              version: {
                                 version_data: [
                                    {
                                       version_value: "n/a",
                                    },
                                 ],
                              },
                           },
                        ],
                     },
                     vendor_name: "n/a",
                  },
               ],
            },
         },
         data_format: "MITRE",
         data_type: "CVE",
         data_version: "4.0",
         description: {
            description_data: [
               {
                  lang: "eng",
                  value: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
               },
            ],
         },
         problemtype: {
            problemtype_data: [
               {
                  description: [
                     {
                        lang: "eng",
                        value: "n/a",
                     },
                  ],
               },
            ],
         },
         references: {
            reference_data: [
               {
                  name: "43241",
                  refsource: "SECUNIA",
                  url: "http://secunia.com/advisories/43241",
               },
               {
                  name: "70872",
                  refsource: "OSVDB",
                  url: "http://www.osvdb.org/70872",
               },
               {
                  name: "ADV-2011-0392",
                  refsource: "VUPEN",
                  url: "http://www.vupen.com/english/advisories/2011/0392",
               },
               {
                  name: "20110210 CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities",
                  refsource: "BUGTRAQ",
                  url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
               },
               {
                  name: "8089",
                  refsource: "SREASON",
                  url: "http://securityreason.com/securityalert/8089",
               },
               {
                  name: "adselfservice-employeesearch-xss(65349)",
                  refsource: "XF",
                  url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
               },
               {
                  name: "70871",
                  refsource: "OSVDB",
                  url: "http://www.osvdb.org/70871",
               },
               {
                  name: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
                  refsource: "MISC",
                  url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
               },
               {
                  name: "46331",
                  refsource: "BID",
                  url: "http://www.securityfocus.com/bid/46331",
               },
            ],
         },
      },
      "nvd.nist.gov": {
         configurations: {
            CVE_data_version: "4.0",
            nodes: [
               {
                  children: [],
                  cpe_match: [
                     {
                        cpe23Uri: "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*",
                        cpe_name: [],
                        versionEndIncluding: "4.4",
                        vulnerable: true,
                     },
                  ],
                  operator: "OR",
               },
            ],
         },
         cve: {
            CVE_data_meta: {
               ASSIGNER: "cve@mitre.org",
               ID: "CVE-2010-3274",
            },
            data_format: "MITRE",
            data_type: "CVE",
            data_version: "4.0",
            description: {
               description_data: [
                  {
                     lang: "en",
                     value: "Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.",
                  },
               ],
            },
            problemtype: {
               problemtype_data: [
                  {
                     description: [
                        {
                           lang: "en",
                           value: "CWE-79",
                        },
                     ],
                  },
               ],
            },
            references: {
               reference_data: [
                  {
                     name: "43241",
                     refsource: "SECUNIA",
                     tags: [
                        "Vendor Advisory",
                     ],
                     url: "http://secunia.com/advisories/43241",
                  },
                  {
                     name: "70872",
                     refsource: "OSVDB",
                     tags: [
                        "Exploit",
                     ],
                     url: "http://www.osvdb.org/70872",
                  },
                  {
                     name: "70871",
                     refsource: "OSVDB",
                     tags: [
                        "Exploit",
                     ],
                     url: "http://www.osvdb.org/70871",
                  },
                  {
                     name: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
                     refsource: "MISC",
                     tags: [
                        "Exploit",
                     ],
                     url: "http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities",
                  },
                  {
                     name: "ADV-2011-0392",
                     refsource: "VUPEN",
                     tags: [
                        "Vendor Advisory",
                     ],
                     url: "http://www.vupen.com/english/advisories/2011/0392",
                  },
                  {
                     name: "46331",
                     refsource: "BID",
                     tags: [
                        "Exploit",
                     ],
                     url: "http://www.securityfocus.com/bid/46331",
                  },
                  {
                     name: "8089",
                     refsource: "SREASON",
                     tags: [],
                     url: "http://securityreason.com/securityalert/8089",
                  },
                  {
                     name: "adselfservice-employeesearch-xss(65349)",
                     refsource: "XF",
                     tags: [],
                     url: "https://exchange.xforce.ibmcloud.com/vulnerabilities/65349",
                  },
                  {
                     name: "20110210 CORE-2011-0103 - ZOHO ManageEngine ADSelfService multiple vulnerabilities",
                     refsource: "BUGTRAQ",
                     tags: [],
                     url: "http://www.securityfocus.com/archive/1/516396/100/0/threaded",
                  },
               ],
            },
         },
         impact: {
            baseMetricV2: {
               cvssV2: {
                  accessComplexity: "MEDIUM",
                  accessVector: "NETWORK",
                  authentication: "NONE",
                  availabilityImpact: "NONE",
                  baseScore: 4.3,
                  confidentialityImpact: "NONE",
                  integrityImpact: "PARTIAL",
                  vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
                  version: "2.0",
               },
               exploitabilityScore: 8.6,
               impactScore: 2.9,
               obtainAllPrivilege: false,
               obtainOtherPrivilege: false,
               obtainUserPrivilege: false,
               severity: "MEDIUM",
               userInteractionRequired: true,
            },
         },
         lastModifiedDate: "2018-10-10T20:01Z",
         publishedDate: "2011-02-17T18:00Z",
      },
   },
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2010-3274

Vulnerability from cvelistv5

var-201102-0051

Vulnerability from variot

ghsa-qh63-cgwm-3qjp

Vulnerability from github

fkie_cve-2010-3274

Vulnerability from fkie_nvd

gsd-2010-3274

Vulnerability from gsd

Tags

Sightings

Nomenclature