CVE-2014-3996: SQL Injection
First published: Fri Dec 05 2014(Updated: )
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Manageengine It360 | <=10.3.3 | |
| Manageengine It360 | <=10.3.3 | |
| ManageEngine Password Manager Pro | <=7.0 | |
| ManageEngine Password Manager Pro | <=7.0 | |
| ManageEngine Desktop Central | <=9.0 | |
| ManageEngine Desktop Central | <=9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadataServlet.dat-SQL-Injection.html
- http://seclists.org/fulldisclosure/2014/Aug/55
- http://seclists.org/fulldisclosure/2014/Aug/85
- http://www.securityfocus.com/bid/69305
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt
- https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
- agent/author
- agent/references
- agent/severity
- agent/type
- collector/nvd-index
- vendor/manageengine
- canonical/manageengine it360
- version/manageengine it360/10.3.3
- canonical/manageengine password manager pro
- version/manageengine password manager pro/7.0
- canonical/manageengine desktop central
- version/manageengine desktop central/9.0