XSS Vulnerability - ZVE-2023-0284

This document addresses the vulnerability reported in the monitoring component of RMM Central.

Severities: Medium

Update Released Build: 10.1.50

Update Released Date: 03/02/2023

What was the problem?

Stored XSS vulnerablilty issues were detected which lead to JS injection. These were identified in the URL monitors and has been fixed now. These issues have been fixed by disabling invalid URL address during rendering.

Impact of the vulnerability

Using the stored XSS data, attackers might gain unauthorized access to session information.

Affected versions: 10.1.49 and below

Credits and acknowledgments

This vulnerability was reported by Ranjit Pahan.

How do I fix it?

These vulnerabilities have been fixed on February 3, 2023 and the mitigation is available in the build 10.1.50 with monitoring build 12.6.278.

Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the service pack page.

https://www.manageengine.com/remote-monitoring-management/service-packs.html

Help

For any further questions or concerns, please reach out to us at rmmcentral-support@manageengine.com