# Security Updates - CVE Details | ManageEngine Applications Manager

## Security Updates - CVE Database

## CVE-2019-11469

### FaultTemplateOptions.jsp resourceid SQL Injection vulnerability

### Vulnerability Details

|  |  |
|---|---|
| Impact | **CVSS V3 rating: 9.8 CRITICAL** |
| Fixed | 24 April 2019 |
| Affected Builds | Till Build 14140 |
| Fixed in | Build 14150 |
| Overview | Unauthenticated access and SQL Injection vulnerability with "resourceid" parameter in /jsp/FaultTemplateOptions.jsp. |
| Recommended Fix | **Upgrade to Applications Manager Version 14150 or above.** |

### Description

ManageEngine Applications Manager 12 through 14 allows SQL Injection using "resourceid" parameter in FaultTemplateOptions.jsp. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

We recommend that you upgrade to Applications Manager Version 14150 and above to fix this issue.

### Source and Acknowledgements

Find out more about CVE-2019-11469 from [CVE Directory](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11469) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-11469).

Other Resources: [http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html](http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.html)

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)