cbcvebase.
CVE-2014-6038
published 2020-01-13

CVE-2014-6038: Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0…

PriorityP269high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
72.76%
99.4th percentile
Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.

Affected

1 ranges
VendorProductVersion rangeFixed in
zohocorpmanageengine_eventlog_analyzer7.0 – 9.9

Detection & IOCsextracted from sources · hover to see the quote

url/agentHandler?mode=getTableData&table=AaaUser
url/agentHandler?mode=getTableData&table=AaaPassword
url/agentHandler?mode=getTableData&table=AaaPasswordHint
url/agentHandler?mode=getTableData&table=HostDetails
url/agentHandler?mode=getTableData&table=[tableName]
url/hostdetails?slid=X&hostid=Y
url/hostdetails?slid=1&hostid=1
  • Detect unauthenticated GET requests to the agentHandler servlet with the mode=getTableData parameter, which allows reading arbitrary database tables without authentication.
  • Detect unauthenticated GET requests to the hostdetails servlet with slid and hostid parameters, which discloses managed host superuser credentials.
  • On EventLog Analyzer version 7, exploitation paths are prepended with /event/ — monitor for /event/agentHandler and /event/hostdetails request patterns in addition to the root-level paths.
  • Credentials returned by the hostdetails servlet are XOR-encoded with 0x30 and base64-encoded; look for base64 blobs in HTTP responses from /hostdetails as an indicator of successful exploitation.
  • ·On EventLog Analyzer version 7, all exploit URLs must be prepended with /event/ (e.g., /event/agentHandler?... and /event/hostdetails?...) rather than the root path used in later versions.
  • ·No authentication or any other prior information is required to exploit CVE-2014-6038; the vulnerability is fully unauthenticated and pre-auth.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.