# Security Updates - CVE Details | ManageEngine Applications Manager

## CVE-2019-11448

### Unauthenticated access and SQL Injection/Remote Code Execution to Popup_SLA.jsp

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating: 9.8 CRITICAL** |
| Fixed | 24 April 2019 |
| Affected Builds | Till Build 14150 |
| Fixed in | Build 14150 |
| Overview | Unauthenticated access and SQL Injection/Remote Code Execution using Popup_SLA.jsp. |
| Recommended Fix | **Upgrade to Applications Manager Version 14150 or above.** |

### Description

An issue was discovered in ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server using the sid parameter in Popup_SLA.jsp for a SQLi.

We recommend that you upgrade to Applications Manager Version 14150 and above to fix this issue.

### Source and Acknowledgements

Find out more about CVE-2019-11448 from the [CVE dictionary](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11448) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-11448).

Other Resources: [https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html](https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html)

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)