← back
CVE-2019-15105

CVE-2019-15105

EPSS 7.8%
An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the "Execute Program Action(s)" feature.
Affected products
n/a · n/a
public PoCs found1
cve_referencewww.exploit-db.com/exploits/47228unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.htmlhttps://www.exploit-db.com/exploits/47228https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html