PT-2014-5663 · Manageengine · It360 Managed Service Providers (Msp) Edition+3
Published
2014-12-05
·
Updated
2019-07-16
·
CVE-2014-3997
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
ManageEngine Password Manager Pro (PMP) versions 5 through 7 build 7003
ManageEngine Password Manager Pro Managed Service Providers (MSP) edition versions 5 through 7 build 7003
ManageEngine IT360 and IT360 Managed Service Providers (MSP) edition versions prior to 10.3.3 build 10330
Description
A SQL injection issue exists in the MetadataServlet servlet, allowing remote attackers or remote authenticated users to execute arbitrary SQL commands. This is achieved by manipulating the
sv parameter to MetadataServlet.dat.Recommendations
For ManageEngine Password Manager Pro (PMP) versions 5 through 7 build 7003, update to a version later than 7 build 7003.
For ManageEngine Password Manager Pro Managed Service Providers (MSP) edition versions 5 through 7 build 7003, update to a version later than 7 build 7003.
For ManageEngine IT360 and IT360 Managed Service Providers (MSP) edition versions prior to 10.3.3 build 10330, update to version 10.3.3 build 10330 or later.
Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
It360 Managed Service Providers (Msp) Edition
Manageengine It360
Manageengine Password Manager Pro
Manageengine Password Manager Pro Managed Service Providers Edition