Security updates

This document will list out the Vulnerabilities detected on Browser Security Plus and the fix for each.

Vulnerabilities fixed in build number 10057:

  1. Information exposure in application logs.
  2. Cross Site Scripting Vulnerability (XSS) during login.
  3. Local privilege escalation - usage of the default installation directory, "C:/ManageEngine" gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify files under "C:/ManageEngine". Hence, as a security practice, we have switched to " <PROGRAM_FILES>\ManageEngine\BrowserSecurityPlus" as the default installation directory.
  4. Local privilege escalation for PGSQL - Users with system access could access the database that requires admin privilege.
  5. Blind SQL injection in tables.

These vulnerabilities were fixed in the build 10057 released on 17-04-2019. Upgrade to the latest build to get these issues fixed.

Vulnerability fixed in build number 10082

  1. Exposure of sensitive information like customer's domain, port and IP address in the product console has been fixed.