Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2019-11469 — SQL Injection in Manageengine Applications Manager

CWE-89 — SQL Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

5.1%

top 10.20%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Zohocorp Manageengine Applications Manager

Timeline

PublishedApr 23

Latest updateMay 24

Description

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_applications_manager12.0 — 14.0

🔴Vulnerability Details

GHSA

GHSA-9g5v-572f-c456: Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions↗2022-05-24

▶

CVEList

CVE-2019-11469: Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions↗2019-04-23

▶

💥Exploits & PoCs

Exploit-DB

ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)↗2019-04-22

▶