CVE-2019-15104

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions prior to 12.5

Description A SQL Injection issue exists in the jsp/NewThresholdConfiguration.jsp file via the resourceid parameter, allowing a low-authority user to gain SYSTEM authority on the server. This can lead to uploading malicious files using the "Execute Program Action(s)" feature.

Recommendations For Zoho ManageEngine OpManager versions prior to 12.5, as a temporary workaround, consider restricting access to the jsp/NewThresholdConfiguration.jsp file and the "Execute Program Action(s)" feature until a patch is available. Avoid using the resourceid parameter in the affected API endpoint until the issue is resolved.