|Impact||CVSS V3 rating: 8.8 HIGH|
|Fixed||13 August 2019|
|Affected Builds||Till Build 14290|
|Fixed in||Build 14300|
|Overview||SQL Injection vulnerability with "resourceid" parameter in /jsp/NewThresholdConfiguration.jsp.|
|Recommended Fix||Upgrade to Applications Manager Version 14300 or above.|
ManageEngine Applications Manager 12 through 14.2 allows SQL Injection using "resourceid" parameter in NewThresholdConfiguration.jsp. Subsequently, a low-authority user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
We recommend that you upgrade to Applications Manager Version 14300 and above to fix this issue.
Source and Acknowledgements