Published: 04/02/2015 Updated: 09/10/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 755

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 up to and including 11.5 build 11400 and IT360 10.5 and previous versions allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zohocorp manageengine opmanager 11.4
zohocorp manageengine opmanager 11.5
zohocorp manageengine opmanager 9.2
zohocorp manageengine opmanager 9.1
zohocorp manageengine opmanager 11.1
zohocorp manageengine opmanager 11.0
zohocorp manageengine opmanager 10.2
zohocorp manageengine opmanager 9.4
zohocorp manageengine opmanager 11.3
zohocorp manageengine opmanager 11.2
zohocorp manageengine opmanager 9.0
zohocorp manageengine opmanager 8.8
zohocorp manageengine opmanager 10.1
zohocorp manageengine opmanager 10.0

>> Multiple vulnerabilities in FailOverServlet in ManageEngine OpManager, Applications Manager and IT360 >> Discovered by Pedro Ribeiro (pedrib@gmailcom), Agile Information Security ========================================================================== Disclosure: 28/01/2015 / Last updated: 09/02/2015 >> Background on the af ...

ManageEngine OpManager, Applications Manager, and IT360 suffer from arbitrary file download, directory content disclosure, and blind SQL injection vulnerabilities ...

CWE-89 http://seclists.org/fulldisclosure/2015/Jan/114 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html https://exchange.xforce.ibmcloud.com/vulnerabilities/100555 http://www.securityfocus.com/archive/1/534575/100/0/threaded https://nvd.nist.gov https://www.exploit-db.com/exploits/43894/

CVE-2014-7864

Vulnerability Summary

Vulnerability Trend

Exploits

References

Vulmon Search

About

Products

Connect