PT-2012-3052 · Manageengine · Zoho Manageengine Applications Manager

Benjamin Kunz Mejri

Published

2012-02-14

Updated

2017-08-29

CVE-2012-1063

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ManageEngine Applications Manager versions 9.x through 10.x

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the viewId parameter to "fault/AlarmView.do" or the period parameter to "showHistoryData.do".

Recommendations For versions 9.x through 10.x, update to a version that contains a fix for this issue, as using these versions poses a significant risk due to the SQL injection vulnerabilities.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2012-1063

Affected Products

Zoho Manageengine Applications Manager

PT-2012-3052 · Manageengine · Zoho Manageengine Applications Manager

CVE-2012-1063

Weakness Enumeration

Related Identifiers

Affected Products

References · 6