This document will list out the Vulnerabilities detected on Browser Security Plus and the fix for each.
Vulnerabilities fixed in build number 10057:
- Information exposure in application logs.
- Cross Site Scripting Vulnerability (XSS) during login.
- Local privilege escalation - usage of the default installation directory, "C:/ManageEngine" gave rise to the vulnerability that any locally authenticated user was able to view/add/delete/modify files under "C:/ManageEngine". Hence, as a security practice, we have switched to " <PROGRAM_FILES>\ManageEngine\BrowserSecurityPlus" as the default installation directory.
- Local privilege escalation for PGSQL - Users with system access could access the database that requires admin privilege.
- Blind SQL injection in tables.
These vulnerabilities were fixed in the build 10057 released on 17-04-2019. Upgrade to the latest build to get these issues fixed.
Vulnerability fixed in build number 10082
- Exposure of sensitive information like customer's domain, port and IP address in the product console has been fixed.