BID:106302

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

CVE-2018-20338 | CVE-2018-20339 |

Info

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

Bugtraq ID:	106302
Class:	Input Validation Error
CVE:	CVE-2018-20338 CVE-2018-20339
Remote:	Yes
Local:	No
Published:	Dec 21 2018 12:00AM
Updated:	Dec 21 2018 12:00AM
Credit:	The vendor reported this issue.
Vulnerable:	Zohocorp Manageengine Opmanager 12.3 build 123239

Not Vulnerable:	Zohocorp Manageengine Opmanager 12.3 build 123240

Discussion

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

ZOHO manageengine opmanager is prone to multiple security vulnerabilities.

Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Versions prior to ManageEngine OpManager 12.3 build 123239 are vulnerable.

Exploit / POC

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

Attackers can use a browser to exploit these issues. To exploit the cross-site scripting issue, an attacker must entice an unsuspecting user into following a malicious URI.

Solution / Fix

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

ZOHO ManageEngine OpManager Multiple Security Vulnerabilities

References:

Manage Engine Home Page (Manage Engine)
Manage Engine OpManager Product Page (Manage Engine)
Manage Engine Releases Notes (Manage Engine)