PT-2019-15901 · Zoho · Zoho Manageengine Applications Manager
Published
2019-12-11
·
Updated
2023-02-02
·
CVE-2019-19649
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine Applications Manager versions prior to 13620
Description
The issue allows for remote unauthenticated SQL injection. This is achieved via the
eventid parameter to the SyncEventServlet endpoint, specifically targeting the doGet function within SyncEventServlet.java.Recommendations
For versions prior to 13620, update to version 13620 or later to resolve the issue. As a temporary workaround, consider restricting access to the
SyncEventServlet endpoint to minimize the risk of exploitation. Avoid using the eventid parameter in the affected endpoint until the issue is resolved.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Applications Manager