← Advisories

ManageEngine Firewall Analyzer 8.5 SP-5.0 Multiple XSS Vulnerabilities

Medium
Advisory ID
ZSL-2016-5307
Release Date
23 February 2016
Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.com
Affected Version
8.5 SP-5.0 (Build 8500)
CVE
N/A
Tested On
Apache-Coyote/1.1
Summary

ManageEngine Firewall Analyzer is an agent-less log analytics and configuration management software that helps network administrators to centrally collect, archive, analyze their security device logs and generate forensic reports out of it.

Description

Firewall Analyzer suffers from multiple reflected cross-site scripting vulnerabilities when input passed via several parameters to several scripts is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
fwanalyzer_xss.txtTXT
Disclosure Timeline
26.01.2016Vulnerabilities discovered.
29.01.2016Vendor contacted.
01.02.2016Vendor responds asking more details.
01.02.2016Sent details to the vendor.
02.02.2016Vendor security team looking into the issues.
12.02.2016Asked vendor for status update.
15.02.2016Vendor states that this was forwarded to R&D team and will be fixed in next release.
15.02.2016Asked vendor to provide more information about the release date and patch version.
23.02.2016Vendor released version 12 that fixes these issues and separate upgrade for 8.5 will be available in couple of months time.
23.02.2016Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://cxsecurity.com/issue/WLB-2016020209
[2]https://packetstormsecurity.com/files/135931
[3]https://exchange.xforce.ibmcloud.com/vulnerabilities/111009
Changelog
23.02.2016Initial release
24.02.2016Added reference [1]
25.02.2016Added reference [2]
29.02.2016Added reference [3]