Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-7864

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2014-7864
Last Modified 04 Feb 2015 02:53:38
Published 04 Feb 2015 11:59:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-7864

Summary

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Vulnerable Systems

Application

  • Zohocorp Manageengine Opmanager 10.0

  • Zohocorp Manageengine Opmanager 10.1

  • Zohocorp Manageengine Opmanager 10.2

  • Zohocorp Manageengine Opmanager 11.0

  • Zohocorp Manageengine Opmanager 11.1

  • Zohocorp Manageengine Opmanager 11.2

  • Zohocorp Manageengine Opmanager 11.3

  • Zohocorp Manageengine Opmanager 11.4

  • Zohocorp Manageengine Opmanager 11.5

  • Zohocorp Manageengine Opmanager 8.8

  • Zohocorp Manageengine Opmanager 9.0

  • Zohocorp Manageengine Opmanager 9.1

  • Zohocorp Manageengine Opmanager 9.2

  • Zohocorp Manageengine Opmanager 9.4


References

CONFIRM - https://support.zoho.com/portal/manageengine/helpcenter/articles/vulnerabilities-in-failoverhelperservlet

MISC - https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt

XF - manageengine-cve20147864-sql-injection(100555)

BUGTRAQ - 20150128 [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360)

MISC - http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html


Last Updated: 27 May 2016 11:07:41