| Vendor |
|
| Product | NetGain EM FreeEdition |
| Affected Version(s) | v10.0.9b51 and prior |
| Tested Version(s) | v10.0.9b51 |
| Vendor Notification | May 02, 2018 |
| Advisory Publication | April 30, 2018 [without technical details] |
| Vendor Fix | v10.1.12 |
| Public Disclosure | October 19, 2018 |
| Latest Modification | April 30, 2018 |
| CVE Identifier(s) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10586 |
| Product Description | NetGain is an IT monitoring software. It provides one of the most comprehensive monitoring scope in the industry. Launched in 2002, NetGain Systems is a pioneer in the IT monitoring and protection business and has established teams in Singapore, China, Indonesia, Thailand, Malaysia and Australia. |
| Credits | Enrico Winata, Security Researcher & Penetration Tester @wizlynx group - Min Thu Han, Security Researcher & Penetration Tester @wizlynx group - Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group |
| Stored Cross-Site Scripting (XSS) Vulnerability | |||
| Severity: Medium | CVSS Score: 4.8 | CWE-ID: CWE-79 | Status: Not Fixed |
| Vulnerability Description | |||
| The web application running on NetGain EM is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 10.0.9 and probably prior versions. These vulnerabilities could allow malicious authenticated attacker to conduct a stored cross-site scripting (XSS) attack against other users who accessing the web-based management interface of an affected application. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link or when a user browse to the affected pages. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information. | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | Changed |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | High | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Full details about the vulnerability will be disclosed once the vendor has provided a patch.