PT-2019-7894 · Zoho · Zoho Manageengine Opmanager

Published

2019-05-23

Updated

2019-05-24

CVE-2017-11559

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions ZOHO ManageEngine OpManager version 12.2

Description An issue was discovered in the software, where the apiKey parameter of the API endpoints "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" is vulnerable to a Blind SQL Injection attack.

Recommendations For ZOHO ManageEngine OpManager version 12.2, consider restricting access to the vulnerable API endpoints "/api/json/admin/getmailserversettings" and "/api/json/dashboard/gotoverviewlist" to minimize the risk of exploitation, and avoid using the apiKey parameter in these endpoints until the issue is resolved.

Exploit

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2017-11559

Affected Products

Zoho Manageengine Opmanager

PT-2019-7894 · Zoho · Zoho Manageengine Opmanager

CVE-2017-11559

Weakness Enumeration

Related Identifiers

Affected Products

References · 5