ManageEngine OPManager 12.3 SQL Injection

2018.09.21

Credit: Murat Aydemir

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2018-17243

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

I. VULNERABILITY
-------------------------
OPManager version 12.3, SQL Injection vulnerability

II. CVE REFERENCE
-------------------------
CVE-2018-17243

III. VENDOR
-------------------------
https://www.manageengine.com

IV. TIMELINE
-------------------------
10/09/18 Vulnerability discovered
13/09/18 Vendor contacted
19/09/2018 OPManager replay that they fixed

V. CREDIT
-------------------------
Murat Aydemir from Biznet Bilisim A.S.

VI. DESCRIPTION
-------------------------
ManageEngine OPManager product(version 12.3) was vulnerable to sql
injection attack. A successfully exploit of this attack could allow
arbitrary code execution on remote server database.
References: https://www.manageengine.com/network-monitoring/help/read-me.html

VII. Remediation
-------------------------
Its recommended to update latest version of OPManager.

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

ManageEngine OPManager 12.3 SQL Injection

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

ManageEngine OPManager 12.3 SQL Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.