Vulnerability Details : CVE-2017-11560
An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application, an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus, an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2017-11560
- cpe:2.3:a:zohocorp:manageengine_opmanager:12.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-11560
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-11560
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2017-11560
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-11560
-
http://opmanager.com
Network Monitor | Network Monitoring Software - ManageEngine OpManagerProduct
-
http://manageengine.com
ManageEngine - IT Operations and Service Management SoftwareVendor Advisory
-
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736
Exploit;Third Party Advisory
Jump to