PT-2019-13987 · Zoho · Zoho Manageengine Opmanager

Akkus

Published

2019-08-16

Updated

2020-08-24

CVE-2019-15106

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine OpManager versions prior to build 14310

Description An issue allows bypassing the user password requirement, enabling command execution on the server. The password is constructed by appending '@opm' to the username. For instance, if the username is 'admin', the password would be 'admin@opm'.

Recommendations For versions prior to build 14310, update to a version that includes the fix for this issue to prevent password bypass and unauthorized command execution. As a temporary workaround, consider restricting access to the server to minimize the risk of exploitation.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2019-15106

Affected Products

Zoho Manageengine Opmanager

PT-2019-13987 · Zoho · Zoho Manageengine Opmanager

CVE-2019-15106

Weakness Enumeration

Related Identifiers

Affected Products

References · 6