Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
BID:69305
Info
Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
| Bugtraq ID: | 69305 |
| Class: | Input Validation Error |
| CVE: |
CVE-2014-3996 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 19 2014 12:00AM |
| Updated: | Sep 01 2014 09:48AM |
| Credit: | Pedro Ribeiro |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
ManageEngine multiple products are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Desktop Central 4 through 9 build 90033
ManageEngine Password Manager Pro 5 through 7 build 7002
ManageEngine IT360 8 through 10.1.1 build 10110
ManageEngine multiple products are prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following products are affected:
ManageEngine Desktop Central 4 through 9 build 90033
ManageEngine Password Manager Pro 5 through 7 build 7002
ManageEngine IT360 8 through 10.1.1 build 10110
Exploit / POC
Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
Attackers can use a browser to exploit this issue.
The following exploit code and example URIs are available:
www.example.com/LinkViewFetchServlet.dat?sv=[SQLi]
www.example.com/console/LinkViewFetchServlet.dat?sv=[SQLi]
Attackers can use a browser to exploit this issue.
The following exploit code and example URIs are available:
www.example.com/LinkViewFetchServlet.dat?sv=[SQLi]
www.example.com/console/LinkViewFetchServlet.dat?sv=[SQLi]
Solution / Fix
Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
Solution:
Reportedly the issue is fixed, however Symantec has not confirmed this. Please contact the vendor for more information.
References
Multiple ManageEngine Products CVE-2014-3996 SQL Injection Vulnerability
References:
References:
- Password Manager Pro (ManageEngine)