5 matches found
ManageEngine OpStor跨站脚本和特权提升漏洞
Bugtraq ID:66499 CVE ID:CVE-2014-0344 ManageEngine OpStor是一个存储设备监控解决方案,帮助企业有效监控存储资源。 ManageEngine OpStor存在多个安全楼的那个: 1,ManageEngine OpStor不正确校验低权限用户对'Properties.do?name='模块的访问,允许低权限用户修改隐藏‘edit’布尔参数为'true',提升为管理员权限。 2,ManageEngine OpStor不正确过滤用户提交的参数,允许攻击者利用漏洞进行跨站脚本攻击。 0 ManageEngine OpStor Build 83...
Cross site scripting
Cross-site scripting XSS vulnerability in Properties.do in ZOHO ManageEngine OpStor before build 8500 allows remote authenticated users to inject arbitrary web script or HTML via the name parameter, a different vulnerability than CVE-2014-0344...
CVE-2014-0344
Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter...
CVE-2014-0344
ManageEngine OpStor (prior to build 8500) contains privilege-escale vulnerability in Properties.do?name that allows a low-privilege user to set the hidden edit parameter to true and gain Admin access; a cross-site scripting issue is also reported for the same component. Build 8500 supposedly fixe...
ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities
Overview ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities. Description CWE-472: External Control of Assumed-Immutable Web ParameterIt has been reported that the 'Properties.do?name=' module is vulnerable to an ‘unauthorized function call’ caused by server failing to...