CVE-2009-4387: XSS
First published: Tue Dec 22 2009(Updated: )
The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ManageEngine PasswordManager Pro | <=6.1 | |
| ManageEngine PasswordManager Pro | <=6.1 | |
| ManageEngine PasswordManager Pro | =4.6 | |
| ManageEngine PasswordManager Pro | =4.7 | |
| ManageEngine PasswordManager Pro | =4.8 | |
| ManageEngine PasswordManager Pro | =5.0 | |
| ManageEngine PasswordManager Pro | =5.1 | |
| ManageEngine PasswordManager Pro | =5.2 | |
| ManageEngine PasswordManager Pro | =5.3 | |
| ManageEngine PasswordManager Pro | =5.4 | |
| ManageEngine PasswordManager Pro | =6.0 | |
| ManageEngine Password Manager Pro | <=- |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/37336
- http://www.scip.ch/?vuldb.4063
- http://secunia.com/advisories/37765
- http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt
- http://www.manageengine.com/products/passwordmanagerpro/release-notes.html
- http://www.vupen.com/english/advisories/2009/3540
- http://forums.manageengine.com/#Topic/49000003740390
Frequently Asked Questions
What is the severity of CVE-2009-4387?
CVE-2009-4387 has been rated as a medium severity vulnerability due to its potential for exploitation through cross-site scripting (XSS).
How do I fix CVE-2009-4387?
To fix CVE-2009-4387, upgrade ManageEngine Password Manager Pro to version 6.1 Build 6104 or later where the vulnerability has been addressed.
What software versions are affected by CVE-2009-4387?
CVE-2009-4387 affects ManageEngine Password Manager Pro versions 4.6 to 6.0 and all versions up to 6.1 before Build 6104.
What type of attack does CVE-2009-4387 involve?
CVE-2009-4387 involves a cross-site scripting (XSS) attack where remote attackers can inject arbitrary web scripts or HTML.
Can CVE-2009-4387 be exploited remotely?
Yes, CVE-2009-4387 can be exploited remotely due to the vulnerability in the input validation for the searchtext parameter.
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/author
- agent/event
- agent/description
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/weakness
- vendor/manageengine
- canonical/manageengine passwordmanager pro
- version/manageengine passwordmanager pro/6.1
- version/manageengine passwordmanager pro/4.6
- version/manageengine passwordmanager pro/4.7
- version/manageengine passwordmanager pro/4.8
- version/manageengine passwordmanager pro/5.0
- version/manageengine passwordmanager pro/5.1
- version/manageengine passwordmanager pro/5.2
- version/manageengine passwordmanager pro/5.3
- version/manageengine passwordmanager pro/5.4
- version/manageengine passwordmanager pro/6.0
- canonical/manageengine password manager pro
- version/manageengine password manager pro/-