| Vulnerability Details | |
|---|---|
| Impact | CVSS V3 rating: 9.8 CRITICAL |
| Fixed | 24 April 2019 |
| Affected Builds | Till Build 14150 |
| Fixed in | Build 14150 |
| Overview | Unauthenticated access and SQL Injection/Remote Code Execution using Popup_SLA.jsp. |
| Recommended Fix | Upgrade to Applications Manager Version 14150 or above. |
An issue was discovered in ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server using the sid parameter in Popup_SLA.jsp for a SQLi.
We recommend that you upgrade to Applications Manager Version 14150 and above to fix this issue.
Source and Acknowledgements
Find out more about CVE-2019-11448 from the CVE dictionary and NIST NVD.
Other Resources: https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com
It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.
Reviewer Role: Research and Development
Tech Support Manager, Lexmark