Vulnerabilities in OpManager 12.0

Vulnerabilities in OpManager 12.0

VULNERABILITY DETAILS(found in build 12000)

Vulnerability 1:

Unrestricted File Upload: 

OpManager fails to validate or improperly validates files before uploading to the system. As a result an attacker might be able to upload arbitrary JSP file and execute it by directly accessing the uploaded file. 

Vulnerability 2:

Cross-Site Scripting:
 
OpManager suffers from a stored XSS vulnerability. Input passed through "post" parameter in group chat is not sanitized, allowing the attacker to execute HTML code in the user's browser session. 

Vulnerability 3:

Cross-Site Request Forgery:

The vulnerability exists because OpManager fails to implement anti-csrf token while performing certain actions. The Cross-Site Request Forgery vulnerability enables an unprivileged attacker to add or delete OpManagerā€™s administrator accounts.

You can check full details of these vulnerabilities in the attached pdf.

Fix:

Steps to Apply the 12200 Issues Fixed Update Patch on 12200 Windows Installation.

1. Download the   12200FixesPatch.zip   file from below url  and save it under /OpManager
2. Stop OpManager Service.
3. Rename Old /OpManager/12200FixesUpdate folder if exists.
4. Rename Old /OpManager/logs folder and recreate new /OpManager/logs folder 
5. Now extract the downloaded 12200FixesPatch.zip directly under /OpManager directory using 'Extract Here' and make sure subfolder /OpManager/12200FixesUpdate exists.
6. Download and execute this batch file 12200IssuesUpdt_Dec22.bat file by saving it under /OpManager
7. Start the OpManager Service & Clear the browser Cookie and try.



      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • Vulnerabilities in FailOverHelperServlet

                      Vulnerabilities in FailoverHelperServlet.  >> Technical details:  The affected servlet is the "FailOverHelperServlet" or if you prefer  FailServlet.   It is possible to hijack the failover operation completely.  #1  Vulnerability: Local file include  ...

                    • Upgrading OpManager

                    • Integrating Whatsapp with OpManager

                    • Upgrading OpManager

                      Before proceeding with the below upgrade steps, Take backup of OpManager using this link 1. Stop OpManager service. 2. Open the command prompt with administrative privilege and run the script UpdateManager.bat  under \\opmanager home\\bin folder. ...

                    • Registering OpManager

                      You can register OpManager by applying the license file that you receive from ManageEngine. To apply the license, follow the steps given below: Click on the profile icon (Next to the Settings icon on the top bar). Click on the Register tab. Click ...

                      Related Products