CVE-2015-0866 - Vulnerability Details - OpenCVE

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zohocorp	Manageengine Supportcenter Plus

Configuration 1 [-]

cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.securityfocus.com/archive/1/534564/100/0/threaded
http://www.securityfocus.com/bid/72349
https://forums.manageengine.com/topic/security-update-for-supportcenter-plus
https://www.htbridge.com/advisory/HTB23247

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-02-02T15:00:00

Updated: 2024-08-06T04:26:11.166Z

Reserved: 2015-01-07T00:00:00

Link: CVE-2015-0866

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-02-02T15:59:00.050

Modified: 2024-11-21T02:23:52.957

Link: CVE-2015-0866

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-01-23T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.htbridge.com/advisory/HTB23247"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"}, {"name": "72349", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/72349"}, {"name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-0866", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.htbridge.com/advisory/HTB23247", "refsource": "MISC", "url": "https://www.htbridge.com/advisory/HTB23247"}, {"name": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus", "refsource": "CONFIRM", "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"}, {"name": "72349", "refsource": "BID", "url": "http://www.securityfocus.com/bid/72349"}, {"name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T04:26:11.166Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.htbridge.com/advisory/HTB23247"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"}, {"name": "72349", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/72349"}, {"name": "20150128 Two XSS Vulnerabilities in SupportCenter Plus", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-0866", "datePublished": "2015-02-02T15:00:00", "dateReserved": "2015-01-07T00:00:00", "dateUpdated": "2024-08-06T04:26:11.166Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_supportcenter_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "D4CB451E-7584-4E7F-A1E7-D332B4335A32", "versionEndIncluding": "7.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustomer, (2) username, or (3) password parameter to HomePage.do."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.9 anterior a hotfix 7941 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) fromCustomer, (2) username, o (3) password en HomePage.do."}], "id": "CVE-2015-0866", "lastModified": "2024-11-21T02:23:52.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-02-02T15:59:00.050", "references": [{"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/72349"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23247"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/archive/1/534564/100/0/threaded"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://www.securityfocus.com/bid/72349"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://forums.manageengine.com/topic/security-update-for-supportcenter-plus"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://www.htbridge.com/advisory/HTB23247"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}