Cross-Site Scripting Flaw in Zoho ManageEngine Netflow Analyzer
CVE-2019-8927

6.1MEDIUM

Key Information:

Vendor

Zohocorp
Status
Manageengine Netflow Analyzer
Vendor
CVE Published:
17 May 2019

What is CVE-2019-8927?

A Cross-Site Scripting (XSS) vulnerability was identified in Zoho ManageEngine Netflow Analyzer Professional version 7.0.0.2, affecting the Administration zone. The vulnerability occurs in the 'scheduleConfig.jsp' file, allowing attackers to exploit specific GET parameters such as devSrc, emailId, and others to inject malicious scripts into the application. This could potentially lead to unauthorized actions being executed on behalf of the administrator, thereby compromising the security of the system.

References

http://packetstormsecurity.com/files/151757/Zoho-ManageEn...
x_refsource_MISC
https://www.manageengine.com/products/netflow/?doc
x_refsource_MISC
http://seclists.org/fulldisclosure/2019/Feb/45
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.