Nessus Scan showing "ManageEngine OpManager 'OPM_BVNAME' Blind SQLi and Reflected XSS"
Hi,
Though the vendor has released a patch to address this flaw, Tenable's research shows that the fix is only partial, and patched systems are still vulnerable to attacks.
In addition to the SQL injection vulnerability, the unpatched servlet will also display the 'OPM_BVNAME' parameter directly back to the user in its response, making it a vector for a reflected XSS attack."
When using Nessus and scanning our opmanager server, we are showing a high security alert
"The remote host is running a version of ManageEngine OpManager that is affected by a Blind SQL injection vulnerability due to a failure to validate the 'OPM_BVNAME' parameter of the APMBVHandler servlet. A remote unauthenticated attacker can exploit this flaw to modify the application's database and potentially gain administrative rights.
Though the vendor has released a patch to address this flaw, Tenable's research shows that the fix is only partial, and patched systems are still vulnerable to attacks.
In addition to the SQL injection vulnerability, the unpatched servlet will also display the 'OPM_BVNAME' parameter directly back to the user in its response, making it a vector for a reflected XSS attack."
Do we know when a patch will be released?
Thanks
Topic Participants
Anthony Mangos
Sanjeev Venkataramani-OpmTech
New to M365 Manager Plus?
New to M365 Manager Plus?
New to RecoveryManager Plus?
New to RecoveryManager Plus?
New to Exchange Reporter Plus?
New to Exchange Reporter Plus?
New to SharePoint Manager Plus?
New to SharePoint Manager Plus?
New to ADManager Plus?