Detections
Analytics

ManageEngine OpManager 'probeName' SQL Injection Vulnerability

high Nessus Plugin ID 81381

Language:

Synopsis

The remote host is running a web application affected by a SQL injection vulnerability.

Description

The remote host is running a version of ManageEngine OpManager that is affected by a SQL injection vulnerability due to a failure to validate the 'probeName' parameter of the UpdateProbeUpgradeStatus servlet. A remote, unauthenticated attacker can exploit this to modify the application's database and potentially gain administrative rights.

Solution

Upgrade to ManageEngine OpManager 11.3 or 11.4 and apply the vendor issued security patch, or upgrade to a version later than 11.4.

See Also

http://www.nessus.org/u?f9f0ae00

Plugin Details

Severity: High

ID: 81381

File Name: manageengine_opmanager_query_param_sqli.nasl

Version: 1.6

Type: remote

Family: CGI abuses

Published: 2/16/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:zohocorp:manageengine_opmanager

Required KB Items: installed_sw/ManageEngine OpManager

Exploit Ease: No known exploits are available

Patch Publication Date: 6/1/2014

Vulnerability Publication Date: 8/19/2014

Reference Information

CVE: CVE-2014-7867

BID: 71509