# CVE-2020-15927

### SQL Injection attack possible in 'resourceid' parameter of SAP module.

## Vulnerability Details

| Vulnerability Details |  |
|---|---|
| Impact | **CVSS V3 rating: 8.5 CRITICAL** |
| Fixed | 8 July 2020 |
| Affected Builds | Below 14684<br>Between 14689 and 14750 |
| Fixed in | Version 14750 and above |
| Overview | SQL Injection attack possible in 'resourceid' parameter in SAP module. |
| Recommended Fix | **Upgrade Applications Manager to version 14750 or above.** |

## Description- Security Update - CVE-2020-15927 Database

Zoho ManageEngine Applications Manager version 14740 and prior allows an authenticated SQL Injection via a crafted jsp request in the SAP module.

We recommend you to upgrade Applications Manager to version 14750 or above to fix this issue.

## Source and Acknowledgements

Find out more about CVE-2020-15927 from [CVE Directory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15927) and [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-15927).

**Reported by:**
Vu Van Tien from VSEC Redteam

### Need Help?

For clarification or corrections please contact our [support team](https://www.manageengine.com/products/applications_manager/support.html) or email us at [appmanager-support@manageengine.com](mailto:appmanager-support@manageengine.com)