Vulnerability Description
An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Applications Manager | >= 11.0, <= 14.0 |
Related Weaknesses (CWE)
References
- https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-ExeExploitThird Party Advisory
- https://www.exploit-db.com/exploits/46725ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/46725/ExploitThird Party AdvisoryVDB Entry
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
- https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-ExeExploitThird Party Advisory
- https://www.exploit-db.com/exploits/46725ExploitThird Party AdvisoryVDB Entry
- https://www.exploit-db.com/exploits/46725/ExploitThird Party AdvisoryVDB Entry
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
FAQ
What is CVE-2019-11448?
CVE-2019-11448 is a vulnerability with a CVSS score of 9.8 (CRITICAL). An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vul...
How severe is CVE-2019-11448?
CVE-2019-11448 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-11448?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager.