ManageEngine OpStor Build 8300 and earlier contain multiple vulnerabilities.
CWE-472: External Control of Assumed-Immutable Web Parameter
It has been reported that the 'Properties.do?name=' module is vulnerable to an ‘unauthorized function call’ caused by server failing to properly verify the privilege level of user (ie; Admin, User, or Guest). This could allow a lower privileged user (ie Guest, User) to modify the hidden ‘edit’ boolean parameter to ‘true’, to gain Admin level authority allowing them to make modification to device name and other information.
An attacker may be able to read files from the filesystem, read or modify data in the application database, execute arbitrary scripts in the context of a victim's browser, redirect users to other websites, and forge requests on behalf of the victim.
Thanks to Security Researcher Mr. Aung Khant (firstname.lastname@example.org) for reporting this vulnerability.
This document was written by Michael Orlando.
|Date First Published:||2014-03-27|
|Date Last Updated:||2014-03-27 19:10 UTC|