XSS Vulnerabilities in Zoho ManageEngine Event Log Analyzer by Zoho
CVE-2017-11686

6.1MEDIUM

Key Information:

Vendor: Zohocorp
Status: Manageengine Eventlog Analyzer
Vendor: CVE Published:; 27 July 2017

What is CVE-2017-11686?

The Zoho ManageEngine Event Log Analyzer versions 11.4 and 11.5 are affected by Cross-Site Scripting (XSS) vulnerabilities, allowing remote attackers to capture an authenticated user's password. This security flaw arises from the use of reversible encoding for passwords stored in cookies, which can be exploited by attackers sniffing non-SSL traffic on the network. As a result, sensitive credentials are at risk, making it crucial for users to address this vulnerability to safeguard their accounts.

References

http://init6.me/exploiting-manageengine-eventlog-analyzer...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 27, 2017
Vulnerability Reserved
Jul 26, 2017

Zohocorp

What is CVE-2017-11686?

References

CVSS V3.1

Timeline