CVE-2014-7868
Summary
| CVE | CVE-2014-7868 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-12-04 17:59:00 UTC |
| Updated | 2019-07-15 17:45:00 UTC |
| Description | Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet. |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zohocorp | Manageengine It360 | 10.3.0 | All | All | All |
| Application | Zohocorp | Manageengine It360 | 10.4 | All | All | All |
| Application | Zohocorp | Manageengine It360 | 10.3.0 | All | All | All |
| Application | Zohocorp | Manageengine It360 | 10.4 | All | All | All |
| Application | Zohocorp | Manageengine Opmanager | 11.3 | All | All | All |
| Application | Zohocorp | Manageengine Opmanager | 11.4 | All | All | All |
| Application | Zohocorp | Manageengine Opmanager | 11.3 | All | All | All |
| Application | Zohocorp | Manageengine Opmanager | 11.4 | All | All | All |
| Application | Zohocorp | Manageengine Social It Plus | 11.0 | All | All | All |
| Application | Zohocorp | Manageengine Social It Plus | 11.0 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt | MISC | raw.githubusercontent.com | Exploit |
| Full Disclosure: [The ManageOwnage series, part VIII]: Remote code execution and blind SQLi in OpManager, Social IT and IT360 | FULLDISC | seclists.org | Exploit |
| ManageEngine OpManager / Social IT Plus / IT360 File Upload / SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | Exploit |
| SQL Injection Vulnerability FIx | CONFIRM | support.zoho.com | Exploit, Patch |
| Multiple ManageEngine Products CVE-2014-7868 Multiple SQL Injection Vulnerabilities | BID | www.securityfocus.com | Exploit |
| SecurityFocus | BUGTRAQ | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.