CVE-2023-29505

Abstract Advisory Information

An endpoint of the application is prone to a Cross-site WebSocket hijacking attack.

Author: Dominique Righetto

Version affected

Name: Network Configuration Manager

Versions: 12.6.165

Common Vulnerability Scoring System

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Patches

OpManager v12.7

Build No 127133 – August 2, 2023

References

• https://www.manageengine.com/network-monitoring/help/read-me-complete.html#build_127131

Vulnerability Disclosure Timeline

• 26/12/2022: Vulnerability discovery
• 03/01/2023: Vulnerability Report to CERT-XLM
• 06/01/2023: Vulnerability Report to Zoho through form
• 06/01/2023: Vulnerability Report by Zoho ID ZVE-2023-0115.
• 06/02/2023: POC Shared with Zoho
• 09/02/2023: Changed Service from Network Configuration Manager to OpManager.
• 21/02/2023: Zoho is working on it
• 10/03/2023: Update asked to Zoho
• 14/03/2023: Zoho needs more informations
• 15/03/2023: POC sent to Zoho
• 30/03/2023: Confirmation from Zoho that the bug is being fixed
• 11/04/2023: CVE IDs assigned use CVE-2023-29505
• 14/04/2023: Update asked to Zoho
• 25/04/2023: Update asked to Zoho
• 08/05/2023: Update asked to Zoho
• 23/05/2023: Zoho updated their CVE ID
• 24/05/2023: Update asked to Zoho
• 13/06/2023: Update asked to Zoho
• 13/06/2023: Zoho replied, fix is mid-July
• 11/07/2023: Update asked to Zoho
• 12/07/2023: Zoho gave a reward
• 18/07/2023: Ask for fix number
• 01/08/2023: Ask for update to Zoho
• 02/08/2023: Patch number given from Zoho
• 03/08/2023: Expected vulnerability disclosure