CVE-2018-17283

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions prior to 12.3 Build 123196

Description The issue allows unauthorized access to certain API endpoints without requiring authentication. Specifically, the /oputilsServlet endpoint can be exploited to obtain an API key. This can be further leveraged to add an admin user via the /api/json/v2/admin/addUser endpoint or to conduct a SQL Injection attack by manipulating the name parameter in the /api/json/device/setManaged endpoint.

Recommendations For versions prior to 12.3 Build 123196, update to version 12.3 Build 123196 or later to resolve the issue. As a temporary workaround, consider restricting access to the /oputilsServlet endpoint and the /api/json/v2/admin/addUser and /api/json/device/setManaged endpoints to minimize the risk of exploitation. Avoid using the name parameter in the /api/json/device/setManaged endpoint until the issue is resolved.