First published: Fri Aug 16 2019(Updated: )
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | >=12.0<=14.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-15105 is a SQL Injection vulnerability in Zoho ManageEngine Application Manager through 14.2, which allows a low-authority user to gain the authority of SYSTEM on the server.
CVE-2019-15105 has a severity rating of 8.8 (Critical).
A low-authority user can exploit CVE-2019-15105 by injecting SQL commands through the resourceid parameter in jsp/NewThresholdConfiguration.jsp, allowing them to gain the authority of SYSTEM on the server.
Yes, Zoho ManageEngine has released security updates to address the CVE-2019-15105 vulnerability. It is recommended to apply the latest updates as soon as possible.
You can find more information about CVE-2019-15105 on the following references: [http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html](link), [https://www.exploit-db.com/exploits/47228](link), [https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html](link).