Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-7387

CWE-89 — SQL Injection5 documents4 sources

Severity

7.5HIGH

EPSS

81.7%

top 0.81%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Eventlog Analyzer

Timeline

PublishedSep 28

Latest updateMay 13

Description

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_eventlog_analyzer10.6

🔴Vulnerability Details

GHSA

GHSA-ffv2-rwr2-wwgf: ZOHO ManageEngine EventLog Analyzer 10↗2022-05-13

▶

CVEList

CVE-2015-7387: ZOHO ManageEngine EventLog Analyzer 10↗2015-09-28

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)↗2015-09-29

▶

Exploit-DB

ManageEngine EventLog Analyzer < 10.6 build 10060 - SQL Execution↗2015-09-14

▶