Vulnerability Description
Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Opmanager | 8.8 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-DExploit
- http://seclists.org/fulldisclosure/2015/Jan/114Exploit
- http://www.securityfocus.com/archive/1/534575/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100555
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.Exploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilitiesExploit
- http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-DExploit
- http://seclists.org/fulldisclosure/2015/Jan/114Exploit
- http://www.securityfocus.com/archive/1/534575/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/100555
- https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.Exploit
- https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilitiesExploit
FAQ
What is CVE-2014-7864?
CVE-2014-7864 is a vulnerability with a CVSS score of 7.5 (HIGH). Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attacker...
How severe is CVE-2014-7864?
CVE-2014-7864 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-7864?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Opmanager.