|Impact||CVSS V3 rating: 9.8 CRITICAL|
|Fixed||24 April 2019|
|Affected Builds||Till Build 14150|
|Fixed in||Build 14150|
|Overview||Unauthenticated access and SQL Injection/Remote Code Execution using Popup_SLA.jsp.|
|Recommended Fix||Upgrade to Applications Manager Version 14150 or above.|
An issue was discovered in ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server using the sid parameter in Popup_SLA.jsp for a SQLi.
We recommend that you upgrade to Applications Manager Version 14150 and above to fix this issue.
Source and Acknowledgements