|Impact||CVSS V3 rating: 9.8 CRITICAL|
|Reported||16 November 2017|
|Fixed||11 December 2017|
|Affected Builds||Till Build 13520|
|Fixed in||Build 13530|
|Overview||SQL injection via the /MyPage.do widgetid parameter.|
|Recommended Fix||Upgrade to Applications Manager Version 13530 or above.|
Zoho ManageEngine Applications Manager allowed for SQL injection via the /MyPage.do widgetid parameter. A remote attacker could send specially-crafted SQL statements to MyPage.do using the 'widgetid' parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
We recommend that you upgrade to Applications Manager Version 13530 and above to fix this issue.
Source and Acknowledgements