Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-7868

CWE-89 — SQL Injection5 documents4 sources

Severity

7.5HIGH

EPSS

69.7%

top 1.34%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine It360 Zohocorp Manageengine Opmanager Zohocorp Manageengine Social IT Plus

Timeline

PublishedDec 4

Latest updateMay 14

Description

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

▶NVDzohocorp/manageengine_social_it_plus11.0

▶NVDzohocorp/manageengine_it36010.3.0, 10.4+1

▶NVDzohocorp/manageengine_opmanager11.3, 11.4+1

Patches

Patch: support.zoho.com ↗Patch: support.zoho.com ↗

🔴Vulnerability Details

GHSA

GHSA-9gvw-7mjf-3xwg: Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11↗2022-05-14

▶

CVEList

CVE-2014-7868: Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11↗2014-12-04

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities↗2014-11-10

▶

Exploit-DB

ManageEngine OpManager / Social IT Plus / IT360 - Multiple Vulnerabilities↗2014-11-09

▶