CVE-2015-7766

ManageEngine OpManager - Remote Code Execution

Severity Score

9.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by "INSERT/**/INTO."

PGSQL:SubmitQuery.do en ZOHO ManageEngine OpManager 11.6, 11.5 y anteriores permite a administradores remotos eludir las restricciones de consulta SQL a través de un comentario en la consulta a api/json/admin/SubmitQuery, según lo demostrado por 'INSERT/**/INTO'.

*Credits: N/A

CVSS Scores

NISTv2 9.0

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-10-09 CVE Reserved
2015-10-09 CVE Published
2024-09-17 CVE Updated
2024-09-17 First Exploit
2024-11-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (5)

URL	Tag	Source
http://seclists.org/fulldisclosure/2015/Sep/66	Mailing List
https://support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability	X_refsource_confirm

URL	Date	SRC
https://www.exploit-db.com/exploits/38221	2024-09-17
http://packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.html	2024-09-17
http://www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rce	2024-09-17

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zohocorp Search vendor "Zohocorp"		Manageengine Opmanager Search vendor "Zohocorp" for product "Manageengine Opmanager"				<= 11.5 Search vendor "Zohocorp" for product "Manageengine Opmanager" and version " <= 11.5"		-		Affected
Zohocorp Search vendor "Zohocorp"		Manageengine Opmanager Search vendor "Zohocorp" for product "Manageengine Opmanager"				11.6 Search vendor "Zohocorp" for product "Manageengine Opmanager" and version "11.6"		-		Affected