CVE-2014-3996: SQL Injection
First published: Fri Dec 05 2014(Updated: )
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ManageEngine IT360 | <=10.3.3 | |
| ManageEngine IT360 | <=10.3.3 | |
| ManageEngine PasswordManager Pro | <=7.0 | |
| ManageEngine PasswordManager Pro | <=7.0 | |
| ManageEngine Desktop Central | <=9.0 | |
| ManageEngine Desktop Central | <=9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadataServlet.dat-SQL-Injection.html
- http://seclists.org/fulldisclosure/2014/Aug/55
- http://seclists.org/fulldisclosure/2014/Aug/85
- http://www.securityfocus.com/bid/69305
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt
- https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb
Frequently Asked Questions
What is the severity of CVE-2014-3996?
CVE-2014-3996 is considered to have a medium severity due to its potential for SQL injection attacks.
How do I fix CVE-2014-3996?
To fix CVE-2014-3996, users should upgrade to the latest versions of ManageEngine Desktop Central, Password Manager Pro, or IT360 that are not vulnerable.
What systems are affected by CVE-2014-3996?
CVE-2014-3996 affects ManageEngine Desktop Central, Password Manager Pro, and IT360 versions below certain build numbers.
What type of vulnerability is CVE-2014-3996?
CVE-2014-3996 is a SQL injection vulnerability, allowing attackers to execute arbitrary SQL queries.
Is CVE-2014-3996 being exploited in the wild?
There is no public evidence to suggest that CVE-2014-3996 is currently being actively exploited in the wild.
- agent/type
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/description
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/manageengine
- canonical/manageengine it360
- version/manageengine it360/10.3.3
- canonical/manageengine passwordmanager pro
- version/manageengine passwordmanager pro/7.0
- canonical/manageengine desktop central
- version/manageengine desktop central/9.0