Published: 04/12/2014 Updated: 15/07/2019

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 760

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.

Vulnerable Product	Search on Vulmon	Subscribe to Product
zohocorp manageengine social it plus 11.0
zohocorp manageengine opmanager 11.3
zohocorp manageengine opmanager 11.4
zohocorp manageengine it360 10.4
zohocorp manageengine it360 10.3.0

ManageEngine OpManager, Social IT Plus, and IT360 suffer from code execution, remote shell upload, and remote SQL injection vulnerabilities ...

>> Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360 >> Discovered by Pedro Ribeiro (pedrib@gmailcom), Agile Information Security ========================================================================== Disclosure: 27/09/2014 (#1 and #2), 09/11/2014 (#3 and #4) / Last updated: 09/11/2014 >> Backgroun ...

CWE-89 https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt http://seclists.org/fulldisclosure/2014/Nov/21 https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix http://www.securityfocus.com/bid/71002 http://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.html http://www.securityfocus.com/archive/1/533946/100/0/threaded https://nvd.nist.gov https://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.html https://www.exploit-db.com/exploits/35209/

CVE-2014-7868

Vulnerability Summary

Vulnerability Trend

Exploits

References

Vulmon Search

About

Products

Connect