Security updates

This document will list out the Vulnerabilities detected on Browser Security Plus and the fix for each.

Vulnerabilities fixed in build number 10057:

  1. Information exposure in application logs.
  2. Cross Site Scripting Vulnerability (XSS) during login.
  3. Local privilege escalation - usage of the default installation directory, "C:/ManageEngine" gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify files under "C:/ManageEngine". Hence, as a security practice, we have switched to " <PROGRAM_FILES>\ManageEngine\BrowserSecurityPlus" as the default installation directory.
  4. Local privilege escalation for PGSQL - Users with system access could access the database that requires admin privilege.
  5. Blind SQL injection in tables.

These vulnerabilities were fixed in the build 10057 released on 17-04-2019. Upgrade to the latest build to get these issues fixed.