CVE-2017-11560 Information

Description

An issue was discovered in ZOHO ManageEngine OpManager 12.2. By adding a Google Map to the application an authenticated user can upload an HTML file. This HTML file is then rendered in various locations of the application. JavaScript inside the uploaded HTML is also interpreted by the application. Thus an attacker can inject a malicious JavaScript payload inside the HTML file and upload it to the application.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

http://manageengine.com http://opmanager.com https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=18736

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4