SB2019081609 - SQL injection in Zoho ManageEngine Applications Manager

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2019-15104)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists in "jsp/NewThresholdConfiguration.jsp" due to insufficient sanitization of user-supplied data passed via the "resourceid" parameter. A remote authenticated attacker can gain the authority of SYSTEM on the server by uploading a malicious file using the "Execute Program Action(s)" feature and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

Remediation

Install update from vendor's website.

References

• http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Privilege-Escalation-Remote-Command-Execution.html
• https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15104.html