Vulnerabilities > CVE-2007-3594 - Cross-Site Scripting vulnerability in Adventnet Manageengine Netflow Analyzer 6/7
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
Multiple cross-site scripting (XSS) vulnerabilities in AdventNet ManageEngine OpManager 6 and 7 allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter in (a) ping.do and (b) traceRoute.do in map/; the (2) reportName, (3) displayName, and (4) selectedNode parameters to (c) reports/ReportViewAction.do; the (5) operation parameter to (d) admin/ServiceConfiguration.do; and the (6) selectedNode and (7) selectedTab parameters to (e) admin/DeviceAssociation.do. NOTE: the searchTerm parameter in Search.do is already covered by CVE-2006-2343.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
description OpManager 6/7 ping.do name Parameter XSS. CVE-2007-3594 . Webapps exploit for java platform id EDB-ID:30271 last seen 2016-02-03 modified 2007-07-04 published 2007-07-04 reporter Lostmon source https://www.exploit-db.com/download/30271/ title OpManager 6/7 ping.do name Parameter XSS description OpManager 6/7 reports/ReportViewAction.do Multiple Parameter XSS. CVE-2007-3594. Webapps exploit for java platform id EDB-ID:30273 last seen 2016-02-03 modified 2007-07-04 published 2007-07-04 reporter Lostmon source https://www.exploit-db.com/download/30273/ title OpManager 6/7 reports/ReportViewAction.do Multiple Parameter XSS description OpManager 6/7 admin/DeviceAssociation.do Multiple Parameter XSS. CVE-2007-3594. Webapps exploit for java platform id EDB-ID:30275 last seen 2016-02-03 modified 2007-07-04 published 2007-07-04 reporter Lostmon source https://www.exploit-db.com/download/30275/ title OpManager 6/7 admin/DeviceAssociation.do Multiple Parameter XSS description OpManager 6/7 traceRoute.do name Parameter XSS. CVE-2007-3594. Webapps exploit for java platform id EDB-ID:30272 last seen 2016-02-03 modified 2007-07-04 published 2007-07-04 reporter Lostmon source https://www.exploit-db.com/download/30272/ title OpManager 6/7 - traceRoute.do name Parameter XSS description OpManager 6/7 admin/ServiceConfiguration.do operation Parameter XSS a. CVE-2007-3594. Webapps exploit for java platform id EDB-ID:30274 last seen 2016-02-03 modified 2007-07-04 published 2007-07-04 reporter Lostmon source https://www.exploit-db.com/download/30274/ title OpManager 6/7 admin/ServiceConfiguration.do operation Parameter XSS
References
- http://lostmon.blogspot.com/2007/07/netflow-analizer-5-opmanager-7-multiple.html
- http://osvdb.org/37821
- http://osvdb.org/37822
- http://osvdb.org/37823
- http://osvdb.org/37824
- http://osvdb.org/37825
- http://osvdb.org/38945
- http://osvdb.org/38946
- http://osvdb.org/38947
- http://osvdb.org/38948
- http://osvdb.org/38949
- http://www.securityfocus.com/bid/24767
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35263