Sign-up

ID

VAR-201908-0730


CVE

CVE-2019-15105


TITLE

Zoho ManageEngine Application Manager In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-008298

DESCRIPTION

An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature. Zoho ManageEngine Application Manager Is SQL An injection vulnerability exists.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. This system is mainly used to monitor server and application performance. An attacker could use this vulnerability to execute illegal SQL commands

Trust: 2.16

sources: NVD: CVE-2019-15105 // JVNDB: JVNDB-2019-008298 // CNVD: CNVD-2019-34851

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-34851

AFFECTED PRODUCTS

vendor:zohocorpmodel:manageengine applications managerscope:gteversion:12.0

Trust: 1.0

vendor:zohocorpmodel:manageengine applications managerscope:lteversion:14.2

Trust: 1.0

vendor:zohomodel:manageengine applications managerscope:lteversion:14.2

Trust: 0.8

vendor:zohomodel:manageengine application managerscope:lteversion:<=14.2

Trust: 0.6

sources: CNVD: CNVD-2019-34851 // JVNDB: JVNDB-2019-008298 // NVD: CVE-2019-15105

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-15105
value: HIGH

Trust: 1.0

NVD: CVE-2019-15105
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-34851
value: HIGH

Trust: 0.6

CNNVD: CNNVD-201908-1149
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2019-15105
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2019-34851
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-15105
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-34851 // JVNDB: JVNDB-2019-008298 // CNNVD: CNNVD-201908-1149 // NVD: CVE-2019-15105

PROBLEMTYPE DATA

problemtype:CWE-89

Trust: 1.8

sources: JVNDB: JVNDB-2019-008298 // NVD: CVE-2019-15105

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201908-1149

TYPE

SQL injection

Trust: 0.6

sources: CNNVD: CNNVD-201908-1149

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-008298

PATCH
title:CVE-2019-15105url:https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2019-008298

EXTERNAL IDS
db:NVDid:CVE-2019-15105
Trust: 3.0
db:EXPLOIT-DBid:47228
Trust: 1.6
db:JVNDBid:JVNDB-2019-008298
Trust: 0.8
db:CNVDid:CNVD-2019-34851
Trust: 0.6
db:CNNVDid:CNNVD-201908-1149
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2019-34851 // 
            
            
            
            JVNDB: JVNDB-2019-008298 // 
            
            
            
            CNNVD: CNNVD-201908-1149 // 
            
            
            
            NVD: CVE-2019-15105

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-15105
Trust: 2.0
url:http://pentest.com.tr/exploits/defcon-manageengine-apm-v14-privilege-escalation-remote-command-execution.html
Trust: 1.6
url:https://www.exploit-db.com/exploits/47228
Trust: 1.6
url:https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-15105
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2019-34851 // 
            
            
            
            JVNDB: JVNDB-2019-008298 // 
            
            
            
            CNNVD: CNNVD-201908-1149 // 
            
            
            
            NVD: CVE-2019-15105

SOURCES
db:CNVDid:CNVD-2019-34851
db:JVNDBid:JVNDB-2019-008298
db:CNNVDid:CNNVD-201908-1149
db:NVDid:CVE-2019-15105

LAST UPDATE DATE
2024-11-23T22:37:44.720000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2019-34851date:2019-10-12T00:00:00
db:JVNDBid:JVNDB-2019-008298date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1149date:2019-08-27T00:00:00
db:NVDid:CVE-2019-15105date:2024-11-21T04:28:03.510

SOURCES RELEASE DATE
db:CNVDid:CNVD-2019-34851date:2019-10-09T00:00:00
db:JVNDBid:JVNDB-2019-008298date:2019-08-29T00:00:00
db:CNNVDid:CNNVD-201908-1149date:2019-08-15T00:00:00
db:NVDid:CVE-2019-15105date:2019-08-16T03:15:11.247