First published: Thu Mar 08 2018(Updated: )
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | <13.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-7890 is a remote code execution issue in Zoho ManageEngine Applications Manager before 13.6.
CVE-2018-7890 has a severity rating of 9.8, which is classified as critical.
CVE-2018-7890 allows remote code execution, potentially compromising the security of Zoho ManageEngine Applications Manager before version 13.6.
To fix CVE-2018-7890, it is recommended to upgrade Zoho ManageEngine Applications Manager to version 13.6 or later.
Yes, here are some references for CVE-2018-7890: - SecurityFocus: http://www.securityfocus.com/bid/103358 - Metasploit Framework: https://github.com/rapid7/metasploit-framework/pull/9684 - PenTest Blog Advisory: https://pentest.blog/advisory-manageengine-applications-manager-remote-code-execution-sqli-and/