# CVE-2019-15105

### NewThresholdConfiguration.jsp resourceid SQL Injection vulnerability

## Vulnerability Details

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating: 8.8 HIGH** |
| Fixed | 13 August 2019 |
| Affected Builds | Till Build 14290 |
| Fixed in | Build 14300 |
| Overview | SQL Injection vulnerability with "resourceid" parameter in /jsp/NewThresholdConfiguration.jsp. |
| Recommended Fix | **Upgrade to Applications Manager Version 14300 or above.** |

## Description- Security Update - CVE-2019-15105 Database

ManageEngine Applications Manager 12 through 14.2 allows SQL Injection using "resourceid" parameter in NewThresholdConfiguration.jsp. Subsequently, a low-authority user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

We recommend that you upgrade to Applications Manager Version 14300 and above to fix this issue.

## Source and Acknowledgements

Find out more about CVE-2019-15105 from [CVE Directory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15105) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2019-15105).

Other Resources: [https://www.pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html](https://www.pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html)

## Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)