OpenCVE

The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Manageengine	Password Manager Pro Password Manager Pro6.1

Configuration 1 [-]

OR	cpe:2.3:a:manageengine:password_manager_pro::::::::
	cpe:2.3:a:manageengine:password_manager_pro::-:standard:::::
	cpe:2.3:a:manageengine:password_manager_pro:4.6:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:4.7:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:4.8:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:5.0:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:5.1:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:5.2:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:5.3:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:5.4:::::::*
	cpe:2.3:a:manageengine:password_manager_pro:6.0:::::::*
	cpe:2.3:a:manageengine:password_manager_pro6.1::free::::::*

No data.

References

Link	Providers
http://forums.manageengine.com/#Topic/49000003740390
http://secunia.com/advisories/37765
http://www.manageengine.com/products/passwordmanagerpro/release-notes.html
http://www.scip.ch/?vuldb.4063
http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt
http://www.securityfocus.com/bid/37336
http://www.vupen.com/english/advisories/2009/3540

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2009-12-22T23:00:00Z

Updated: 2024-09-16T17:29:04.222Z

Reserved: 2009-12-22T00:00:00Z

Link: CVE-2009-4387

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2009-12-22T23:30:00.517

Modified: 2009-12-23T05:00:00.000

Link: CVE-2009-4387

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2009-12-22T23:00:00Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.scip.ch/?vuldb.4063"}, {"tags": ["x_refsource_MISC"], "url": "http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://forums.manageengine.com/#Topic/49000003740390"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.manageengine.com/products/passwordmanagerpro/release-notes.html"}, {"name": "37765", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37765"}, {"name": "ADV-2009-3540", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2009/3540"}, {"name": "37336", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/37336"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2009-4387", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://www.scip.ch/?vuldb.4063", "refsource": "MISC", "url": "http://www.scip.ch/?vuldb.4063"}, {"name": "http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt", "refsource": "MISC", "url": "http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt"}, {"name": "http://forums.manageengine.com/#Topic/49000003740390", "refsource": "CONFIRM", "url": "http://forums.manageengine.com/#Topic/49000003740390"}, {"name": "http://www.manageengine.com/products/passwordmanagerpro/release-notes.html", "refsource": "CONFIRM", "url": "http://www.manageengine.com/products/passwordmanagerpro/release-notes.html"}, {"name": "37765", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37765"}, {"name": "ADV-2009-3540", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2009/3540"}, {"name": "37336", "refsource": "BID", "url": "http://www.securityfocus.com/bid/37336"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T07:01:20.513Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.scip.ch/?vuldb.4063"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://forums.manageengine.com/#Topic/49000003740390"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.manageengine.com/products/passwordmanagerpro/release-notes.html"}, {"name": "37765", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37765"}, {"name": "ADV-2009-3540", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2009/3540"}, {"name": "37336", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/37336"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2009-4387", "datePublished": "2009-12-22T23:00:00Z", "dateReserved": "2009-12-22T00:00:00Z", "dateUpdated": "2024-09-16T17:29:04.222Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:manageengine:password_manager_pro:*:*:*:*:*:*:*:*", "matchCriteriaId": "F98F34C9-3D3B-4C67-88BF-8B4F8CD71832", "versionEndIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:*:-:standard:*:*:*:*:*", "matchCriteriaId": "A888EEC2-60E8-407C-ACE8-68AB5E882EBD", "versionEndIncluding": "6.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "B514D4E8-E996-4F8C-9830-3CB12B6FBE1C", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:4.7:*:*:*:*:*:*:*", "matchCriteriaId": "EFD9FC23-D877-44FA-8F86-4AF006A0C3E9", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:4.8:*:*:*:*:*:*:*", "matchCriteriaId": "63DA6D0A-931D-4B07-86C1-06D4F36FA679", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:5.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAACBB2A-8F1E-4013-B3DA-1742CA66A944", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:5.1:*:*:*:*:*:*:*", "matchCriteriaId": "076C49A5-C554-4820-AE83-5858209CF3C8", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:5.2:*:*:*:*:*:*:*", "matchCriteriaId": "9E578FA0-E8AD-4BD5-B6B8-2357A2EAF4AC", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:5.3:*:*:*:*:*:*:*", "matchCriteriaId": "1EA9117D-2355-4FCE-876B-2E6FAED66A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:5.4:*:*:*:*:*:*:*", "matchCriteriaId": "27B0EF1B-B8C1-40E4-8545-F5B119FF50FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "B0783C5C-58CA-435E-B000-9787379DEB9D", "vulnerable": true}, {"criteria": "cpe:2.3:a:manageengine:password_manager_pro6.1:*:free:*:*:*:*:*:*", "matchCriteriaId": "0D46C1E3-5B7F-466C-98BB-F910757F9A47", "versionEndIncluding": "-", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The cross-site scripting (XSS) protection mechanism in ShowInContentAreaAction.do in ManageEngine Password Manager Pro (PMP) before 6.1 Build 6104 uses case-sensitive checks for malicious inputs, which allows remote attackers to inject arbitrary web script or HTML via the searchtext parameter and other unspecified inputs."}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en ShowInContentAreaAction.do en ManageEngine Password Manager Pro (PMP) en versi\u00f3nes anteriores a v6.1 Build 6104 utiliza comprobaci\u00f3n del uso de may\u00fasculas/min\u00fasculas para entradas maliciosas, lo que permite a atacantes remotos inyectar secuencias de comandos web o HTML de forma arbitraria a trav\u00e9s del par\u00e1metro \"searchtext\" y otras entradas sin especificar."}], "id": "CVE-2009-4387", "lastModified": "2009-12-23T05:00:00.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2009-12-22T23:30:00.517", "references": [{"source": "cve@mitre.org", "url": "http://forums.manageengine.com/#Topic/49000003740390"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/37765"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.manageengine.com/products/passwordmanagerpro/release-notes.html"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "http://www.scip.ch/?vuldb.4063"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://www.scip.ch/publikationen/advisories/scip_advisory-4063_manageengine_pmp_script_injection.txt"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/37336"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2009/3540"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}