PT-2019-15902 · Zoho · Zoho Manageengine Applications Manager
Published
2019-12-11
·
Updated
2023-01-30
·
CVE-2019-19650
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine Applications Manager versions prior to 13640
Description
The issue allows for a remote authenticated SQL injection attack. This is achieved via the
agentid parameter in the Agent servlet, which affects the Agent.java process function.Recommendations
For versions prior to 13640, update to version 13640 or later to resolve the issue. As a temporary workaround, consider restricting access to the Agent servlet to minimize the risk of exploitation. Avoid using the
agentid parameter in the affected API endpoint until the issue is resolved.Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Applications Manager