Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the password is represented in a cookie with a reversible encoding method.
References
Link | Resource |
---|---|
http://init6.me/exploiting-manageengine-eventlog-analyzer.html | Exploit Technical Description Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Information
Published : 2017-07-26 23:29
Updated : 2017-08-02 09:24
NVD link : CVE-2017-11686
Mitre link : CVE-2017-11686
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
zohocorp
- manageengine_eventlog_analyzer