I found that XSS vulnerabilities during the pentest back in 2016, but never reported it to the vendor. According to exloit-db.com/search or cxsecurity.com/search this has never been reported, so I’m catching up now in 2019 with old stuff. cvedetails.com websites doesn’t mention it https://www.cvedetails.com/vulnerability-list/vendor_id-8861/product_id-16877/Eset-Remote-Administrator.html. It appears, that issue might have been internally patched. Mitre website also mentioned only one XSS back from 2009, see https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Eset+Remote+Administrator
Unfortunatelly, all evidences except a single txt file went gone during the issue with my MS Windows testing vmware image a year or more ago, where I installed a local version of “All-In-One ERA 6”.
Vendor: ESET, LLC, d/b/a ESET North America Product: ESET Remote Administrator Version affected: 6
ESET Remote Administrator allows to oversee the entire network, including workstations, servers and smartphones from a single point. It can be installed on Windows as well as Linux servers and also comes as a Virtual Appliance. It handles communication with agents, and collects and stores application data in the database.
Cross-Site Scripting, Reflected
- CVE: CVE-2019-xxxx
- CWE: CWE-79
Proof of Concept 1
Proof of Concept 2
Proof of Concept 3
- OWASP - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
- Vendor website - https://www.eset.com/au/business/remote-management/remote-administrator/
- Download the latest trial version - https://support.eset.com/kb6114/?locale=en_US&viewlocale=en_US