PT-2019-7900 · Zoho · Zoho Manageengine Applications Manager

Elvin Hayes Gentiles

Publicado

2019-05-23

Atualizado

2020-07-27

CVE-2017-11738

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Application Manager versions prior to 14.6 Build 14660

Description The issue concerns a Time-based Blind SQL Injection attack. Specifically, the haid parameter of the "/auditLogAction.do" module is vulnerable.

Recommendations For versions prior to 14.6 Build 14660, update to version 14.6 Build 14660 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/auditLogAction.do" module to minimize the risk of exploitation. Avoid using the haid parameter in the affected module until the issue is resolved.

Exploit

Correção

SQL injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-89

Identificadores relacionados

CVE-2017-11738

Produtos afetados

Zoho Manageengine Applications Manager

PT-2019-7900 · Zoho · Zoho Manageengine Applications Manager

CVE-2017-11738

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7