ManageEngine Applications Manager IT360UtilitiesServlet SQLi

critical Nessus Plugin ID 84242

Synopsis

The remote web application is affected by a SQL injection vulnerability.

Description

The remote host is running a version of ManageEngine Applications Manager that is affected by a SQL injection vulnerability due to improper validation of user-supplied input to the 'IT360UtilitiesServlet' servlet. A remote attacker can exploit this flaw to execute arbitrary SQL statements.

Note that some third-party resources indicate that a patch exists for this vulnerability in the 11.x version branch. However, Tenable Research has successfully exploited this vulnerability in the latest available software release for this branch.

Solution

Upgrade to ManageEngine Applications Manager version 12 or later, as it does not ship with the affected script.

See Also

https://www.zerodayinitiative.com/advisories/ZDI-15-230/

Plugin Details

Severity: Critical

ID: 84242

File Name: manageengine_applications_manager_it360_sqli.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 6/17/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:manageengine:applications_manager

Required KB Items: installed_sw/ManageEngine Applications Manager

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2015

Vulnerability Publication Date: 5/15/2015

Reference Information

BID: 74692