Home » Features » Security updates

Security updates

This document will list out the Vulnerabilities detected on Browser Security Plus.
Upgrading to the latest build will fix these issues.

Vulnerabilities fixed in build number 2404.1

  1. Security issues pertaining to data access among multiple users on the same agent machine, have been fixed.
  2. Issues with improper URL parsing, have been fixed.

Vulnerability fixed in build number 2138.2

  1. Privilege escalation issue, allowing an authenticated user to change any user's login password, has been fixed.

Vulnerability fixed in build number 2137.8

  1. Authentication bypass issue, reading sensitive information or uploading an arbitrary ZIP archive to the server, has been fixed.

Vulnerability fixed in build number 2119.11

  1. Authentication issue bypassing role-based access, leading to remote code execution on the server, has been fixed.

Vulnerabilities fixed in build number 10091

  1. Security issues like filetype mismatch, privilege elevation of users in web console and HTML injection have been fixed.
  2. SQL injection issue has been fixed.
  3. Authentication mechanism for servlets has been improved.

Vulnerabilities fixed in build number 10087

  1. SQL injection issue which allowed placement of malicious code in SQL statements in web page input.
  2. Script injection issue where user-input to a web script was placed into the output HTML without being checked for HTML code or scripting.
  3. Privilege elevation issue where a lower privilege user could execute higher privilege tasks on the Browser Security Plus console.
  4. Filetypes mismatch verification.
  5. Authentication mechanism in servlets.

Vulnerability fixed in build number 10082

  1. Exposure of sensitive information like customer's domain, port and IP address in the product console has been fixed.

Vulnerabilities fixed in build number 10057

  1. Information exposure in application logs.
  2. Cross Site Scripting Vulnerability (XSS) during login.
  3. Local privilege escalation - usage of the default installation directory, "C:/ManageEngine" gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify files under "C:/ManageEngine". Hence, as a security practice, we have switched to " \ManageEngine\BrowserSecurityPlus" as the default installation directory.
  4. Local privilege escalation for PGSQL - Users with system access could access the database that requires admin privilege.
  5. Blind SQL injection in tables.

Upgrade to the latest build to get these issues fixed.