CVE-2019-11469 : Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequen

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

Published 2019-04-23 04:29:02

Updated 2019-04-26 16:45:09

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Exploit prediction scoring system (EPSS) score for CVE-2019-11469

Probability of exploitation activity in the next 30 days: 1.32%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 86 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2019-11469

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.8	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-11469

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-11469

https://www.exploit-db.com/exploits/46740

ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)
Exploit;Third Party Advisory;VDB Entry
https://www.exploit-db.com/exploits/46740/

ManageEngine Applications Manager 14.0 - Authentication Bypass / Remote Command Execution (Metasploit)
Exploit;Third Party Advisory;VDB Entry
http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html

ManageEngine Applications Manager 14.0 SQL Injection / Command Injection ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.html

Pentest Blog - Self-Improvement to Ethical Hacking
Exploit;Third Party Advisory
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html

Security Updates - CVE Details | ManageEngine Applications Manager
Vendor Advisory

Products affected by CVE-2019-11469

Zohocorp » Manageengine Applications Manager
Versions from including (>=) 12.0 and up to, including, (<=) 14.0
cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2019-11469

Exploit prediction scoring system (EPSS) score for CVE-2019-11469

CVSS scores for CVE-2019-11469

CWE ids for CVE-2019-11469

References for CVE-2019-11469

Products affected by CVE-2019-11469