Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-11448 — SQL Injection in Manageengine Applications Manager

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

15.5%

top 5.31%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Applications Manager

Timeline

PublishedApr 22

Latest updateMay 24

Description

An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_applications_manager11.0 — 14.0

🔴Vulnerability Details

GHSA

GHSA-3j3p-jmq2-47r9: An issue was discovered in Zoho ManageEngine Applications Manager 11↗2022-05-24

▶

CVEList

CVE-2019-11448: An issue was discovered in Zoho ManageEngine Applications Manager 11↗2019-04-22

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine Applications Manager 11.0 < 14.0 - SQL Injection / Remote Code Execution (Metasploit)↗2019-04-18

▶