Release date:
Updated on:
Affected Systems:
ManageEngine EventLog Analyzer 8.6
Description:
--------------------------------------------------------------------------------
ManageEngine EventLog Analyzer is a security information and event management software.
ManageEngine EventLog Analyzer 8.6 and other versions do not properly filter the "j_username" GET parameter of event/j_security_check (after "j_password" is set, this causes arbitrary HTML and script code to be executed in the browser session of the affected site.
<* Source: Asheesh Anaconda
Link: http://secunia.com/advisories/56520/
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
ManageEngine
------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.manageengine.com/products/eventlog/
Refer:
Http://packetstormsecurity.com/files/124821/ManageEngine-EventLog-Analyzer-8.6-Cross-Site-Scripting.html