PT-2019-13986 · Zoho · Zoho Manageengine Applications Manager

Akkus

Published

2019-08-16

Updated

2019-08-26

CVE-2019-15105

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Application Manager versions through 14.2

Description A SQL Injection issue exists in the jsp/NewThresholdConfiguration.jsp file via the resourceid parameter, allowing a low-authority user to gain SYSTEM authority on the server. This can lead to uploading a malicious file using the "Execute Program Action(s)" feature.

Recommendations For Zoho ManageEngine Application Manager versions through 14.2, avoid using the resourceid parameter in the jsp/NewThresholdConfiguration.jsp file until a fix is available. As a temporary workaround, consider restricting access to the "Execute Program Action(s)" feature to minimize the risk of exploitation.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2019-15105

Affected Products

Zoho Manageengine Applications Manager

PT-2019-13986 · Zoho · Zoho Manageengine Applications Manager

CVE-2019-15105

Weakness Enumeration

Related Identifiers

Affected Products

References · 5