Vulnerabilities in OpManager 12.0

Vulnerabilities in OpManager 12.0

VULNERABILITY DETAILS(found in build 12000)

Vulnerability 1:

Unrestricted File Upload: 

OpManager fails to validate or improperly validates files before uploading to the system. As a result an attacker might be able to upload arbitrary JSP file and execute it by directly accessing the uploaded file. 

Vulnerability 2:

Cross-Site Scripting:
OpManager suffers from a stored XSS vulnerability. Input passed through "post" parameter in group chat is not sanitized, allowing the attacker to execute HTML code in the user's browser session. 

Vulnerability 3:

Cross-Site Request Forgery:

The vulnerability exists because OpManager fails to implement anti-csrf token while performing certain actions. The Cross-Site Request Forgery vulnerability enables an unprivileged attacker to add or delete OpManager’s administrator accounts.

You can check full details of these vulnerabilities in the attached pdf.


Steps to Apply the 12200 Issues Fixed Update Patch on 12200 Windows Installation.

1. Download the   file from below url  and save it under /OpManager
2. Stop OpManager Service.
3. Rename Old /OpManager/12200FixesUpdate folder if exists.
4. Rename Old /OpManager/logs folder and recreate new /OpManager/logs folder 
5. Now extract the downloaded directly under /OpManager directory using 'Extract Here' and make sure subfolder /OpManager/12200FixesUpdate exists.
6. Download and execute this batch file 12200IssuesUpdt_Dec22.bat file by saving it under /OpManager
7. Start the OpManager Service & Clear the browser Cookie and try.