CVE-2014-7868
ManageEngine OpManager DataComparisionServlet query SQL Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
7Exploited in Wild
-Decision
Descriptions
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
Múltiples vulnerabilidades de inyección SQL en ZOHO ManageEngine OpManager 11.3 y 11.4, IT360 10.3 y 10.4, y Social IT Plus 11.0 permiten a atacantes remotos o usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de (1) el parámetro OPM_BVNAME en una operación de eliminar en el servlet APMBVHandler o (2) el parámetro query en una operación de compara en el servlet DataComparisonServlet.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ManageEngine OpManager. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the DataComparisonServlet servlet. The issue lies in the ability to execute arbitrary SQL statements. An attacker could leverage this vulnerability to execute code under the context of the database, which defaults to SYSTEM.
ManageEngine OpManager, Social IT Plus, and IT360 suffer from code execution, remote shell upload, and remote SQL injection vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2014-10-05 CVE Reserved
- 2014-11-09 CVE Published
- 2014-11-09 First Exploit
- 2024-07-16 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/archive/1/533946/100/0/threaded | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Zohocorp Search vendor "Zohocorp" | Manageengine Social It Plus Search vendor "Zohocorp" for product "Manageengine Social It Plus" | 11.0 Search vendor "Zohocorp" for product "Manageengine Social It Plus" and version "11.0" | - |
Affected
| ||||||
| Zohocorp Search vendor "Zohocorp" | Manageengine Opmanager Search vendor "Zohocorp" for product "Manageengine Opmanager" | 11.3 Search vendor "Zohocorp" for product "Manageengine Opmanager" and version "11.3" | - |
Affected
| ||||||
| Zohocorp Search vendor "Zohocorp" | Manageengine Opmanager Search vendor "Zohocorp" for product "Manageengine Opmanager" | 11.4 Search vendor "Zohocorp" for product "Manageengine Opmanager" and version "11.4" | - |
Affected
| ||||||
| Zohocorp Search vendor "Zohocorp" | Manageengine It360 Search vendor "Zohocorp" for product "Manageengine It360" | 10.3.0 Search vendor "Zohocorp" for product "Manageengine It360" and version "10.3.0" | - |
Affected
| ||||||
| Zohocorp Search vendor "Zohocorp" | Manageengine It360 Search vendor "Zohocorp" for product "Manageengine It360" | 10.4 Search vendor "Zohocorp" for product "Manageengine It360" and version "10.4" | - |
Affected
| ||||||