Vulnerability Note VU#140886
ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities
ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities.
CWE-472: External Control of Assumed-Immutable Web Parameter
It has been reported that the 'Properties.do?name=' module is vulnerable to an ‘unauthorized function call’ caused by server failing to properly verify the privilege level of user (ie; Admin, User, or Guest). This could allow a lower privileged user (ie Guest, User) to modify the hidden ‘edit’ boolean parameter to ‘true’, to gain Admin level authority allowing them to make modification to device name and other information.
An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim's browser, redirect users to other websites, and forge requests on behalf of the victim.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Zoho||Affected||08 Jan 2014||20 Mar 2014|
CVSS Metrics (Learn More)
Thanks to Security Researcher Mr. Aung Khant (firstname.lastname@example.org) for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: CVE-2014-0344
- Date Public: 27 Mar 2014
- Date First Published: 27 Mar 2014
- Date Last Updated: 27 Mar 2014
- Document Revision: 11
If you have feedback, comments, or additional information about this vulnerability, please send us email.