CVE-2019-11469
CVE-2019-11469
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
Affected products
n/a · n/apublic PoCs found — 3
cve_referencepacketstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46740/unverifiedcve_referencewww.exploit-db.com/exploits/46740unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152607/ManageEngine-Applications-Manager-14.0-SQL-Injection-Command-Injection.htmlhttps://pentest.com.tr/exploits/ManageEngine-App-Manager-14-Auth-Bypass-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/46740https://www.exploit-db.com/exploits/46740/https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-11469.html