Description
Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. Fixed in Build 11072.
References (3)
Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/69420
Mailing List mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Aug/74
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/128012/ManageEngine-EventLog-Analyzer-7-Cross-Site-Scripting.html
Scores
EPSS
0.0045
EPSS Percentile
63.7%
Details
CWE
CWE-79
Status
published
Products (2)
zohocorp/manageengine_eventlog_analyzer
7.0
zohocorp/manageengine_eventlog_analyzer
< 9.0
Published
Aug 29, 2014
Tracked Since
Feb 18, 2026