| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 9.8 CRITICAL |
| Reported | 16 November 2017 |
| Fixed | 11 December 2017 |
| Affected Builds | Till Build 13520 |
| Fixed in | Build 13530 |
| Overview | SQL injection via the /MyPage.do widgetid parameter. |
| Recommended Fix | Upgrade to Applications Manager Version 13530 or above. |
Zoho ManageEngine Applications Manager allowed for SQL injection via the /MyPage.do widgetid parameter. A remote attacker could send specially-crafted SQL statements to MyPage.do using the 'widgetid' parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
We recommend that you upgrade to Applications Manager Version 13530 and above to fix this issue.
Source and Acknowledgements
Find out more about CVE-2017-16851 from the CVE dictionary and NIST NVSD.
Other Resources: https://code610.blogspot.com/2017/11/more-sql-injections-in-manageengine.html
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com