Vulnerability Description
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Opmanager | < 12.3 |
Related Weaknesses (CWE)
References
- https://github.com/x-f1v3/ForCve/issues/4ExploitThird Party Advisory
- https://www.manageengine.com/network-monitoring/help/read-me.htmlVendor Advisory
- https://github.com/x-f1v3/ForCve/issues/4ExploitThird Party Advisory
- https://www.manageengine.com/network-monitoring/help/read-me.htmlVendor Advisory
FAQ
What is CVE-2018-17283?
CVE-2018-17283 is a vulnerability with a CVSS score of 7.5 (HIGH). Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged a...
How severe is CVE-2018-17283?
CVE-2018-17283 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-17283?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Opmanager.