Vu Van Tien

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Applications Manager versions prior to 14740 **Description** The issue allows an authenticated SQL Injection attack via a crafted jsp request in the RCA module. **Recommendations** For versions prior to 14740, update to a version newer than 14740 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Applications Manager version 14740 and prior **Description** The issue is related to a lack of protection against SQL query structure exploitation in the Zoho ManageEngine Applications Manager. This can be exploited by a remote attacker using a crafted jsp request in the SAP module, allowing the execution of arbitrary SQL queries. **Recommendations** For Zoho ManageEngine Applications Manager version 14740 and prior, update to a version later than 14740 to resolve the issue. At the moment, there is no information about other specific fixes for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Application Manager versions prior to 14684 Zoho ManageEngine Application Manager versions 14689 through 14750 **Description** The AlarmEscalation module in Zoho ManageEngine Application Manager is vulnerable to an unauthenticated SQL Injection attack. **Recommendations** For versions prior to 14684, update to a version after 14684 to resolve the issue. For versions 14689 through 14750, update to a version after 14750 to resolve the issue. As a temporary workaround, consider disabling the AlarmEscalation module until a patch is available.