Detections
Analytics
Zoho ManageEngine OpManager 'OPM_BVNAME' Multiple Vulnerabilities
high Nessus Plugin ID 81379
Language:
Synopsis
The remote host is running a web application that is affected by multiple vulnerabilities.Description
The remote host is running a version of Zoho ManageEngine OpManager that is affected by multiple vulnerabilities :- A blind SQL injection vulnerability exists due to improper sanitization of user-supplied input to the 'OPM_BVNAME' parameter of the APMBVHandler servlet. An unauthenticated, remote attacker can exploit this to modify the application's database and potentially gain administrative rights. (CVE-2014-7868 / CVE-2016-82014)
- A reflected cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input to the 'OPM_BVNAME' parameter of the APMBVHandler servlet. A context-dependent attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session.
(CVE-2016-82015)
Note that additional SQL injection vulnerabilities exist; however, Nessus has not tested for these.
Solution
Zoho has released a patch for ManageEngine OpManager versions 11.3, 11.4, and 11.5; however, the patch is only a partial fix. Upgrade to OpManager version 11.6 for the full fix.See Also
Plugin Details
Severity: High
ID: 81379
File Name: manageengine_opmanager_OPM_BVNAME_sqli.nasl
Version: 1.9
Type: remote
Family: CGI abuses
Published: 2/16/2015
Updated: 1/19/2021
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.6
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:zohocorp:manageengine_opmanager
Required KB Items: installed_sw/ManageEngine OpManager
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/1/2014
Vulnerability Publication Date: 8/19/2014
Reference Information
CVE: CVE-2014-7868, CVE-2016-82014, CVE-2016-82015
BID: 71002
TRA: TRA-2016-10