# CVE-2017-11738

### SQL Injection attack possible in 'haid' parameter of the '/auditLogAction.do' URL

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating: 8.1 HIGH** |
| Fixed | 30 April 2020 |
| Affected Builds | Till version 14650 |
| Fixed in | Build 14660 and above |
| Overview | SQL Injection attack possible in 'haid' parameter of the '/auditLogAction.do' URL. |
| Recommended Fix | **Upgrade Applications Manager to version 14660 or above.** |

## Description- Security Update - CVE-2017-11738 Database

In ManageEngine Application Manager 13.1 Build 13100, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.

We recommend you to upgrade Applications Manager to version 14660 or above to fix this issue.

### Source and Acknowledgements

Find out more about CVE-2017-11738 from [CVE Directory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11738) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-11738).

**Reported by:**  
Elvin Hayes Gentiles of Trustwave SpiderLabs

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)