CVE-2014-7867

CWE-89 — SQL Injection3 documents3 sources

Severity

7.5HIGH

EPSS

62.1%

top 1.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine It360 Zohocorp Manageengine Opmanager Zohocorp Manageengine Social IT Plus

Timeline

PublishedDec 4

Latest updateMay 14

Description

SQL injection vulnerability in the com.manageengine.opmanager.servlet.UpdateProbeUpgradeStatus servlet in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the probeName parameter.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDzohocorp/manageengine_opmanager11.3, 11.4+1

▶NVDzohocorp/manageengine_social_it_plus11.0

▶NVDzohocorp/manageengine_it36010.3.0, 10.4+1

Patches

Patch: support.zoho.com ↗Patch: support.zoho.com ↗

🔴Vulnerability Details

GHSA

GHSA-h2cx-h57v-qrc4: SQL injection vulnerability in the com↗2022-05-14

▶

CVEList

CVE-2014-7867: SQL injection vulnerability in the com↗2014-12-04

▶