# Security Updates - CVE Details | ManageEngine Applications Manager

## Security Updates - CVE Database

## CVE-2017-16543

### SQL injection via GraphicalView.do

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating:** 9.8 CRITICAL |
| Reported | 11 May 2017 |
| Fixed | 22 November 2017 |
| Affected Builds | Till Build 13450 |
| Fixed in | Build 13500 |
| Overview | SQL injection via GraphicalView.do |
| Recommended Fix | **Upgrade to Applications Manager Version 13500 and above.** |

### Description

ManageEngine Applications Manager 13 allowed for SQL injection via GraphicalView.do in methods getLatestStatusForJIT and saveBusinessViewPropsForADDM, as demonstrated by a crafted viewProps yCanvas field or viewid parameter.

An attacker might be able inject and/or alter existing SQL statements which would influence the database exchange.

We recommend that you upgrade to Applications Manager Version 13500 and above to fix this issue.

### Source and Acknowledgements

Find out more about CVE-2017-16543 from the [CVE dictionary](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16543) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-16543).

Source: [https://code610.blogspot.com/2017/11/sql-injection-in-manageengine.html](https://code610.blogspot.com/2017/11/sql-injection-in-manageengine.html)

Other Resources: [https://exploit-db.com/exploits/43129/](https://exploit-db.com/exploits/43129/)

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)