Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-7864 — SQL Injection in Manageengine Opmanager

CWE-89 — SQL Injection4 documents4 sources

Severity

7.5HIGHNVD

EPSS

32.2%

top 3.16%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Opmanager

Timeline

PublishedFeb 4

Latest updateMay 14

Description

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_opmanager14 versions+13

🔴Vulnerability Details

GHSA

GHSA-f4g5-8f5m-c4xh: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11↗2022-05-14

▶

CVEList

CVE-2014-7864: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11↗2015-02-04

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine OpManager / Applications Manager / IT360 - 'FailOverServlet' Multiple Vulnerabilities↗2015-02-09

▶