CVE-2014-7864

Name of the Vulnerable Software and Affected Versions ZOHO ManageEngine OpManager versions 8 through 11.5 build 11400 ZOHO ManageEngine IT360 version 10.5 and earlier

Description The issue allows remote attackers and remote authenticated users to execute arbitrary SQL commands. This is achieved via the customerName or serverRole parameter in a standbyUpdateInCentral operation to the "servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet" endpoint.

Recommendations For ZOHO ManageEngine OpManager versions 8 through 11.5 build 11400, avoid using the customerName and serverRole parameters in the affected servlet until a fix is available. For ZOHO ManageEngine IT360 version 10.5 and earlier, restrict access to the FailOverHelperServlet to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.