iManager 2.7 SP5 Tomcat Vulnerable to XSS Request Forgery

 

 

 

 

In order for this vulnerability to be exploited all of he following conditions must be met:

1.User must be logged into iManager then click on the button or link posted on the malicious site.

2.User must open a new tab or new instance of the same browser.

3.The exploiter must know all the details about the request

(IE., IP address of the iManager server, port on which it is run, all the request parameters, etc.)

 

 

 

 

If this exploit is successful, all iManager tasks are allowed that are within the rights of the logged in user.  Assuming that all of the above conditions are met, iManager server honors this request thinking that the request has come from an authenticated user.

 

 

 

 

Engineering is aware of the issue.  It is hoped that a fix for this will be available soon.