Vulnerability Description
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Eventlog Analyzer | 8.2 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-AExploit
- http://seclists.org/fulldisclosure/2014/Aug/86ExploitUS Government Resource
- http://seclists.org/fulldisclosure/2014/Sep/19Exploit
- http://www.exploit-db.com/exploits/34519Exploit
- http://www.securityfocus.com/bid/69482Exploit
- https://www.mogwaisecurity.de/advisories/MSA-2014-01.txtExploit
- http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-AExploit
- http://seclists.org/fulldisclosure/2014/Aug/86ExploitUS Government Resource
- http://seclists.org/fulldisclosure/2014/Sep/19Exploit
- http://www.exploit-db.com/exploits/34519Exploit
- http://www.securityfocus.com/bid/69482Exploit
- https://www.mogwaisecurity.de/advisories/MSA-2014-01.txtExploit
FAQ
What is CVE-2014-6043?
CVE-2014-6043 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the databas...
How severe is CVE-2014-6043?
CVE-2014-6043 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-6043?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Eventlog Analyzer.