Security Research & Advisories

Multiple Stored Cross-Site Scripting(XSS) Vulnerabilities in NetGain EM

Product NetGain EM FreeEdition
Affected Version(s) v10.0.9b51 and prior
Tested Version(s) v10.0.9b51
Vendor Notification May 02, 2018
Advisory Publication April 30, 2018 [without technical details]
Vendor Fix v10.1.12
Public Disclosure October 19, 2018
Latest Modification April 30, 2018
CVE Identifier(s)
Product Description NetGain is an IT monitoring software. It provides one of the most comprehensive monitoring scope in the industry. Launched in 2002, NetGain Systems is a pioneer in the IT monitoring and protection business and has established teams in Singapore, China, Indonesia, Thailand, Malaysia and Australia.
Credits Enrico Winata, Security Researcher & Penetration Tester @wizlynx group - Min Thu Han, Security Researcher & Penetration Tester @wizlynx group - Tan Peng Fei Eddie, Security Researcher & Penetration Tester @wizlynx group

Vulnerability Details

Stored Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 4.8 CWE-ID: CWE-79 Status: Not Fixed
Vulnerability Description
The web application running on NetGain EM is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities affecting version 10.0.9 and probably prior versions. These vulnerabilities could allow malicious authenticated attacker to conduct a stored cross-site scripting (XSS) attack against other users who accessing the web-based management interface of an affected application. The vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link or when a user browse to the affected pages. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or allow the attacker to access sensitive browser-based information.
CVSS Base Score
Attack Vector Network Scope Changed
Attack Complexity Low Confidentiality Impact Low
Privileges Required High Integrity Impact Low
User Interaction Required Availability Impact None


Full details about the vulnerability will be disclosed once the vendor has provided a patch.