CVE-2014-7868

Name of the Vulnerable Software and Affected Versions ManageEngine OpManager versions 11.3 through 11.4 IT360 versions 10.3 through 10.4 Social IT Plus version 11.0

Description The issue allows remote attackers or remote authenticated users to execute arbitrary SQL commands. This can be achieved via the OPM BVNAME parameter in a Delete operation to the "APMBVHandler" servlet or the query parameter in a compare operation to the "DataComparisonServlet" servlet.

Recommendations For ManageEngine OpManager versions 11.3 through 11.4, consider disabling the APMBVHandler and DataComparisonServlet servlets until a patch is available. For IT360 versions 10.3 through 10.4, restrict access to the DataComparisonServlet servlet to minimize the risk of exploitation. For Social IT Plus version 11.0, avoid using the query parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.