vendor:
Applications Manager
by:
Unknown
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: Applications Manager
Affected Version From: 13
Affected Version To: 13
Patch Exists: NO
Related CWE: Unknown
CPE: a:manageengine:applications_manager:13
Platforms Tested:
Unknown
Multiple SQL Injection Vulnerabilities in ManageEngine Applications Manager
The ManageEngine Applications Manager version 13 is vulnerable to multiple post-authentication SQL injection vulnerabilities. The first vulnerability is in the 'name' parameter of the 'manageApplications.do' endpoint. An attacker can exploit this vulnerability by sending a specially crafted POST request to execute malicious SQL queries. The second vulnerability is in the 'viewProps' parameter of the 'GraphicalView.do' endpoint. By manipulating the 'yCanvas' field, an attacker can inject malicious SQL queries.
Mitigation:
To mitigate these vulnerabilities, it is recommended to apply the latest security patches provided by ManageEngine or upgrade to a newer version of Applications Manager that does not contain these vulnerabilities. Additionally, input validation and sanitization should be implemented to prevent SQL injection attacks.