SQL Injection in ZOHO ManageEngine OpManager, IT360, and Social IT Plus
CVE-2014-7868

Currently unrated

Key Information:

Vendor

Zohocorp
Status
Manageengine Social It Plus
Vendor
CVE Published:
4 December 2014

What is CVE-2014-7868?

Multiple SQL injection vulnerabilities were discovered in ZOHO's ManageEngine OpManager, IT360, and Social IT Plus. These vulnerabilities enable remote attackers or authenticated users to execute arbitrary SQL commands. Specifically, the vulnerabilities exist through the OPM_BVNAME parameter in a Delete operation directed at the APMBVHandler servlet, and a query parameter in a compare operation to the DataComparisonServlet. Exploitation of these vulnerabilities can lead to unauthorized access and manipulation of database content.

References

http://www.securityfocus.com/bid/71002
vdb-entryx_refsource_BID
http://seclists.org/fulldisclosure/2014/Nov/21
mailing-listx_refsource_FULLDISC
https://raw.githubusercontent.com/pedrib/PoC/master/Manag...
x_refsource_MISC

EPSS Score

69% chance of being exploited in the next 30 days.

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.