Vulnerability Description
SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to LinkViewFetchServlet.dat.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Manageengine | It360 | <= 10.3.3 |
| Manageengine | Password Manager Pro | <= 7.0 |
| Manageengine | Desktop Central | <= 9.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadaExploit
- http://seclists.org/fulldisclosure/2014/Aug/55Exploit
- http://seclists.org/fulldisclosure/2014/Aug/85Exploit
- http://www.securityfocus.com/bid/69305
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_Exploit
- http://packetstormsecurity.com/files/127973/ManageEngine-Password-Manager-MetadaExploit
- http://seclists.org/fulldisclosure/2014/Aug/55Exploit
- http://seclists.org/fulldisclosure/2014/Aug/85Exploit
- http://www.securityfocus.com/bid/69305
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360Exploit
- https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_Exploit
FAQ
What is CVE-2014-3996?
CVE-2014-3996 is a vulnerability with a CVSS score of 7.5 (HIGH). SQL injection vulnerability in the LinkViewFetchServlet servlet in ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90043, Password Manager ...
How severe is CVE-2014-3996?
CVE-2014-3996 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-3996?
Check the references section above for vendor advisories and patch information. Affected products include: Manageengine It360, Manageengine Password Manager Pro, Manageengine Desktop Central.