SQL Injection Vulnerability in ManageEngine Password Manager Pro and IT360
CVE-2014-3997

Currently unrated

Key Information:

Vendor: Zohocorp
Status: Manageengine Password Manager Pro
Vendor: CVE Published:; 5 December 2014

What is CVE-2014-3997?

An SQL injection vulnerability exists in the MetadataServlet servlet of ManageEngine Password Manager Pro and IT360, which could allow remote attackers or authenticated users to execute arbitrary SQL commands. The exploitation occurs via the 'sv' parameter within the MetadataServlet.dat endpoint. This vulnerability affects multiple versions of Password Manager Pro and IT360, highlighting the need for immediate attention and patching to secure sensitive data from unauthorized access.

References

http://seclists.org/fulldisclosure/2014/Aug/55

mailing-listx_refsource_FULLDISC

https://raw.githubusercontent.com/pedrib/PoC/master/Manag...

x_refsource_MISC

https://raw.githubusercontent.com/pedrib/PoC/master/msf_m...

x_refsource_MISC

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 5, 2014
Vulnerability Reserved
Jun 6, 2014

Zohocorp

What is CVE-2014-3997?

References

Timeline