Published: 09/10/2015 Updated: 09/10/2015

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

VMScore: 905

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and previous versions allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

Vulnerable Product	Search on Vulmon	Subscribe to Product
zohocorp manageengine opmanager 11.6
zohocorp manageengine opmanager

## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # It removes large object in database, shoudn't be a problem, but just in case Rank = ManualRanking include Msf::Exploit::Remote::HttpCli ...

CWE-264 http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.html https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability https://www.exploit-db.com/exploits/38221/http://seclists.org/fulldisclosure/2015/Sep/66 http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rce https://nvd.nist.gov https://www.exploit-db.com/exploits/38221/

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2015-7766

Vulnerability Summary

Exploits

References

Vulmon Search

About

Products

Connect