|Impact||CVSS V3 rating: 9.8 CRITICAL|
|Fixed||24 April 2019|
|Affected Builds||Till Build 14140|
|Fixed in||Build 14150|
|Overview||Unauthenticated access and SQL Injection vulnerability with "resourceid" parameter in /jsp/FaultTemplateOptions.jsp.|
|Recommended Fix||Upgrade to Applications Manager Version 14150 or above.|
ManageEngine Applications Manager 12 through 14 allows SQL Injection using "resourceid" parameter in FaultTemplateOptions.jsp. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
We recommend that you upgrade to Applications Manager Version 14150 and above to fix this issue.
Source and Acknowledgements