Abstract Advisory Information

An endpoint of the application is prone to a Cross-site WebSocket hijacking attack.

Author: Dominique Righetto

Version affected

Name: Network Configuration Manager

Versions: 12.6.165

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Patch

OpManager v12.7

Build No 127133 – August 2, 2023

References

• https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_127131

Vulnerability Disclosure Timeline

• • 26/12/2022: Vulnerability discovery
  • 03/01/2023: Vulnerability Report to CERT-XLM
  • 06/01/2023: Vulnerability Report to Zoho through form
  • 06/01/2023: Vulnerability Report by Zoho ID ZVE-2023-0115.
  • 06/02/2023: POC Shared with Zoho
  • 09/02/2023: Changed Service from Network Configuration Manager to OpManager.
  • 21/02/2023: Zoho is working on it
  • 10/03/2023: Update asked to Zoho
  • 14/03/2023: Zoho needs more informations
  • 15/03/2023: POC sent to Zoho
  • 30/03/2023: Confirmation from Zoho that the bug is being fixed
  • 11/04/2023: CVE IDs assigned use CVE-2023-29505
  • 14/04/2023: Update asked to Zoho
  • 25/04/2023: Update asked to Zoho
  • 08/05/2023: Update asked to Zoho
  • 23/05/2023: Zoho updated their CVE ID
  • 24/05/2023: Update asked to Zoho
  • 13/06/2023: Update asked to Zoho
  • 13/06/2023: Zoho replied, fix is mid-July
  • 11/07/2023: Update asked to Zoho
  • 12/07/2023: Zoho gave a reward
  • 18/07/2023: Ask for fix number
  • 01/08/2023: Ask for update to Zoho
  • 02/08/2023: Patch number given from Zoho
  • 03/08/2023: Expected vulnerability disclosure