Details of VAR-201905-0978

ID

VAR-201905-0978

CVE

CVE-2019-11678

TITLE

Zoho ManageEngine Firewall Analyzer In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-004016

DESCRIPTION

The "default reports" feature in Zoho ManageEngine Firewall Analyzer before 12.3 Build 123218 is vulnerable to SQL Injection. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. ZOHO ManageEngine Firewall Analyzer is a set of web-based firewall log analysis tools from ZOHO, USA. It can collect, correlate analysis and report logs on firewalls, proxy servers and Radius servers throughout the enterprise. The vulnerability stems from the lack of verification of externally input SQL statements in database-based applications. Attackers can exploit this vulnerability to execute illegal SQL commands

Trust: 2.07

sources: NVD: CVE-2019-11678 // JVNDB: JVNDB-2019-004016 // BID: 108860 // VULHUB: VHN-143348 // VULMON: CVE-2019-11678

AFFECTED PRODUCTS

vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	7.4	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	8.5	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	8.1	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	8.3	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	12.0	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	12.2	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	7.6	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	12.3	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	7.2	Trust: 1.0
vendor:	zohocorp	model:	manageengine firewall analyzer	scope:	eq	version:	8.0	Trust: 1.0
vendor:	zoho	model:	manageengine firewall analyzer	scope:	lt	version:	12.3 build 123218	Trust: 0.8
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	8.58500	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	8.38300	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	8.18110	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	8.08000	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	7.67600	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	7.47400	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	7.27021	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	7.27020	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123208	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123197	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123194	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123186	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123185	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123182	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123177	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123169	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123164	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123156	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123151	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123137	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123129	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123126	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123092	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123083	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123070	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123064	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123057	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123045	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123027	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.3123008	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.312300	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.212200	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	eq	version:	12.012000	Trust: 0.3
vendor:	zoho	model:	manageengine firewall analyzer build	scope:	ne	version:	12.3123218	Trust: 0.3

sources: BID: 108860 // JVNDB: JVNDB-2019-004016 // NVD: CVE-2019-11678

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2019-11678
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2019-11678
value:	CRITICAL
Trust: 0.8
CNNVD:	CNNVD-201905-074
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-143348
value:	HIGH
Trust: 0.1
VULMON:	CVE-2019-11678
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2019-11678
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-143348
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2019-11678
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-143348 // VULMON: CVE-2019-11678 // JVNDB: JVNDB-2019-004016 // CNNVD: CNNVD-201905-074 // NVD: CVE-2019-11678

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.9

sources: VULHUB: VHN-143348 // JVNDB: JVNDB-2019-004016 // NVD: CVE-2019-11678

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201905-074

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201905-074

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-004016

PATCH

title:	Firewall Analyzer - Release Notes	url:	https://www.manageengine.com/products/firewall/release-notes.html	Trust: 0.8
title:	ZOHO ManageEngine Firewall Analyzer SQL Repair measures for injecting vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=92210	Trust: 0.6

sources: JVNDB: JVNDB-2019-004016 // CNNVD: CNNVD-201905-074

EXTERNAL IDS

db:	NVD	id:	CVE-2019-11678	Trust: 2.9
db:	JVNDB	id:	JVNDB-2019-004016	Trust: 0.8
db:	CNNVD	id:	CNNVD-201905-074	Trust: 0.7
db:	BID	id:	108860	Trust: 0.3
db:	VULHUB	id:	VHN-143348	Trust: 0.1
db:	VULMON	id:	CVE-2019-11678	Trust: 0.1

sources: VULHUB: VHN-143348 // VULMON: CVE-2019-11678 // BID: 108860 // JVNDB: JVNDB-2019-004016 // CNNVD: CNNVD-201905-074 // NVD: CVE-2019-11678

REFERENCES

url:	https://www.manageengine.com/products/firewall/release-notes.html	Trust: 2.1
url:	https://nvd.nist.gov/vuln/detail/cve-2019-11678	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11678	Trust: 0.8
url:	https://www.manageengine.com/products/firewall/	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/89.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-143348 // VULMON: CVE-2019-11678 // BID: 108860 // JVNDB: JVNDB-2019-004016 // CNNVD: CNNVD-201905-074 // NVD: CVE-2019-11678

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 108860

SOURCES

db:	VULHUB	id:	VHN-143348
db:	VULMON	id:	CVE-2019-11678
db:	BID	id:	108860
db:	JVNDB	id:	JVNDB-2019-004016
db:	CNNVD	id:	CNNVD-201905-074
db:	NVD	id:	CVE-2019-11678

LAST UPDATE DATE

2024-11-23T21:59:56.410000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-143348	date:	2019-05-03T00:00:00
db:	VULMON	id:	CVE-2019-11678	date:	2019-05-03T00:00:00
db:	BID	id:	108860	date:	2019-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-004016	date:	2019-05-27T00:00:00
db:	CNNVD	id:	CNNVD-201905-074	date:	2019-05-08T00:00:00
db:	NVD	id:	CVE-2019-11678	date:	2024-11-21T04:21:34.610

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-143348	date:	2019-05-02T00:00:00
db:	VULMON	id:	CVE-2019-11678	date:	2019-05-02T00:00:00
db:	BID	id:	108860	date:	2019-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2019-004016	date:	2019-05-27T00:00:00
db:	CNNVD	id:	CNNVD-201905-074	date:	2019-05-02T00:00:00
db:	NVD	id:	CVE-2019-11678	date:	2019-05-02T14:29:00.450