Security updates

This document will list out the Vulnerabilities detected on Browser Security Plus and the fix for each.

Vulnerability fixed in build number 10091

  1. Security issues like filetype mismatch, privilege elevation of users in web console and HTML injection have been fixed.
  2. SQL injection issue has been fixed.
  3. Authentication mechanism for servlets has been improved.

Vulnerability fixed in build number 10087

  1. SQL injection issue which allowed placement of malicious code in SQL statements in web page input.
  2. Script injection issue where user-input to a web script was placed into the output HTML without being checked for HTML code or scripting
  3. Privilege elevation issue where a lower privilege user could execute higher privilege tasks on the Browser Security Plus console
  4. Filetypes mismatch verification.
  5. Authentication mechanism in servlets.

Vulnerability fixed in build number 10082

  1. Exposure of sensitive information like customer's domain, port and IP address in the product console has been fixed.

Vulnerabilities fixed in build number 10057:

  1. Information exposure in application logs.
  2. Cross Site Scripting Vulnerability (XSS) during login.
  3. Local privilege escalation - usage of the default installation directory, "C:/ManageEngine" gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify files under "C:/ManageEngine". Hence, as a security practice, we have switched to " <PROGRAM_FILES>\ManageEngine\BrowserSecurityPlus" as the default installation directory.
  4. Local privilege escalation for PGSQL - Users with system access could access the database that requires admin privilege.
  5. Blind SQL injection in tables.

Upgrade to the latest build to get these issues fixed.