Detections
Analytics

ManageEngine Applications Manager DowntimeSchedulerServlet 'TASKID' Blind SQLi

critical Nessus Plugin ID 84241

Language:

Synopsis

The remote web application is affected by a blind SQL injection vulnerability.

Description

The remote host is running a version of ManageEngine Applications Manager that is affected by a blind SQL injection vulnerability due to improper validation of user-supplied input to the 'TASKID' parameter in the 'DowntimeSchedulerServlet' servlet. A remote attacker can exploit this flaw to execute arbitrary SQL statements.

Note that some third-party resources indicate that a patch exists for this vulnerability. However, Tenable Research has successfully exploited this vulnerability in the latest available software release.

Solution

No patched version currently exists.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-15-229/

Plugin Details

Severity: Critical

ID: 84241

File Name: manageengine_applications_manager_downtimescheduler_sqli.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 6/17/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:manageengine:applications_manager

Required KB Items: installed_sw/ManageEngine Applications Manager

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/15/2015

Reference Information

BID: 74692