First published: Fri Aug 16 2019(Updated: )
An issue was discovered in Zoho ManageEngine OpManager through 12.4x. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | >=12.0<=14.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2019-15104 is critical.
The affected software of CVE-2019-15104 is Zohocorp Manageengine Applications Manager version 12.0 to 14.0.
CVE-2019-15104 is a SQL Injection vulnerability.
A low-authority user can exploit CVE-2019-15104 by injecting SQL code through the resourceid parameter in jsp/NewThresholdConfiguration.jsp, allowing them to gain SYSTEM authority on the server.
Yes, there are security updates available for CVE-2019-15104. Please refer to the ManageEngine Applications Manager website for more information.