CVE-2015-5150 – ManageEngine SupportCenter Plus 7.90 - Multiple Vulnerabilities

https://notcve.org/view.php?id=CVE-2015-5150

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.90 allow remote authenticated users to inject arbitrary web script or HTML via the (1) query parameter in the run_query_editor_query module to CustomReportHandler.do, (2) compAcct parameter to jsp/ResetADPwd.jsp, or (3) redirectTo parameter to jsp/CacheScreenWidth.jsp. Múltiples vulnerabilidades de XSS en Zoho ManageEngine SupportCenter Plus 7.90 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a través (1) del parámetro query en el módulo run_query_editor_query en CustomReportHandler.do, (2) del parámetro compAcct en jsp/ResetADPwd.jsp, o (3) del parámetro redirectTo en jsp/CacheScreenWidth.jsp. • https://www.exploit-db.com/exploits/37322 http://packetstormsecurity.com/files/132376/ManageEngine-SupportCenter-Plus-7.90-XSS-Traversal-Password-Disclosure.html http://www.vulnerability-lab.com/get_content.php?id=1501 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •