PT-2019-13985 · Zoho · Zoho Manageengine Opmanager

Akkus

Published

2019-08-16

Updated

2019-08-26

CVE-2019-15104

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions prior to 12.5

Description A SQL Injection issue exists in the jsp/NewThresholdConfiguration.jsp file via the resourceid parameter, allowing a low-authority user to gain SYSTEM authority on the server. This can lead to uploading malicious files using the "Execute Program Action(s)" feature.

Recommendations For Zoho ManageEngine OpManager versions prior to 12.5, as a temporary workaround, consider restricting access to the jsp/NewThresholdConfiguration.jsp file and the "Execute Program Action(s)" feature until a patch is available. Avoid using the resourceid parameter in the affected API endpoint until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-15104

Affected Products

Zoho Manageengine Opmanager

PT-2019-13985 · Zoho · Zoho Manageengine Opmanager

CVE-2019-15104

Weakness Enumeration

Related Identifiers

Affected Products

References · 5