PT-2015-7596 · Manageengine · Manageengine Opmanager
Xistence
·
Published
2015-10-09
·
Updated
2015-10-09
·
CVE-2015-7766
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
ManageEngine OpManager versions 11.6, 11.5, and earlier
Description
The issue allows remote administrators to bypass SQL query restrictions. This can be achieved by including a comment in the query to the "api/json/admin/SubmitQuery" API endpoint, such as using "INSERT/**/INTO" to bypass restrictions.
Recommendations
For ManageEngine OpManager versions 11.6, 11.5, and earlier, consider restricting access to the "api/json/admin/SubmitQuery" API endpoint until a fix is available. As a temporary workaround, limit the ability of remote administrators to submit queries that could potentially bypass SQL query restrictions.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Manageengine Opmanager