Vulnerability Details | |
---|---|
Impact | CVSS V3 rating: 8.1 HIGH |
Fixed | 30 April 2020 |
Affected Builds | Till version 14650 |
Fixed in | Build 14660 and above |
Overview | SQL Injection attack possible in 'haid' parameter of the '/auditLogAction.do' URL. |
Recommended Fix | Upgrade Applications Manager to version 14660 or above. |
In ManageEngine Application Manager 13.1 Build 13100, the 'haid' parameter of the '/auditLogAction.do' module is vulnerable to a Time-based Blind SQL Injection attack.
We recommend you to upgrade Applications Manager to version 14660 or above to fix this issue.
Source and Acknowledgements
Find out more about CVE-2017-11738 from CVE Directory and NIST NVD.
Reported by:
Elvin Hayes Gentiles of Trustwave SpiderLabs
For clarification or corrections please contact our support team or email us at appmanager-support@manageengine.com
It allows us to track crucial metrics such as response times, resource utilization, error rates, and transaction performance. The real-time monitoring alerts promptly notify us of any issues or anomalies, enabling us to take immediate action.
Reviewer Role: Research and Development