CVE-2015-7766

Name of the Vulnerable Software and Affected Versions ManageEngine OpManager versions 11.6, 11.5, and earlier

Description The issue allows remote administrators to bypass SQL query restrictions. This can be achieved by including a comment in the query to the "api/json/admin/SubmitQuery" API endpoint, such as using "INSERT/**/INTO" to bypass restrictions.

Recommendations For ManageEngine OpManager versions 11.6, 11.5, and earlier, consider restricting access to the "api/json/admin/SubmitQuery" API endpoint until a fix is available. As a temporary workaround, limit the ability of remote administrators to submit queries that could potentially bypass SQL query restrictions.