CVE-2014-3997

Exploit

EPSS 1.29%
Published 05.12.2014 15:59:01
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

Affected products Warnungen 0 Metrics 2 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Password Manager Pro Version5.0 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version5.1 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version5.2 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version5.3 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version5.4 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.0 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.0 Updatebuild6002 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.1 Updatebuild6104 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.2 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.2 Updatebuild6201 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.3 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6401 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6402 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6403 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6404 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6503 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6504 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6505 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.6 Updatebuild6600 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.7 Updatebuild6700 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.7 Updatebuild6701 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6800 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6801 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6802 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6803 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6900 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6901 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6902 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6903 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6904 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7000 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7001 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7002 SwEdition-

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7003 SwEdition-

Zohocorp ≫ Manageengine It360 SwEdition- Version <= 10.3.3

Zohocorp ≫ Manageengine It360 SwEditionmanaged_service_providers Version <= 10.3.3

Zohocorp ≫ Manageengine Password Manager Pro Version5.0 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version5.1 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version5.2 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version5.3 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version5.4 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.0 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.0 Updatebuild6002 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.1 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.1 Updatebuild6104 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.2 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.2 Updatebuild6201 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.3 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6401 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6402 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6403 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.4 Updatebuild6404 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6503 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6504 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.5 Updatebuild6505 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.6 Updatebuild6600 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.7 Updatebuild6700 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.7 Updatebuild6701 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6800 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6801 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6802 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.8 Updatebuild6803 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6900 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6901 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6902 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6903 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version6.9 Updatebuild6904 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7000 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7001 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7002 SwEditionmanaged_service_providers

Zohocorp ≫ Manageengine Password Manager Pro Version7.0 Updatebuild7003 SwEditionmanaged_service_providers

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.29%	0.779

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

http://seclists.org/fulldisclosure/2014/Aug/55

Third Party Advisory

Exploit

Mailing List

http://seclists.org/fulldisclosure/2014/Aug/85

Third Party Advisory

Exploit

Mailing List

https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_dc_pmp_it360_sqli.txt

Exploit

https://raw.githubusercontent.com/pedrib/PoC/master/msf_modules/manageengine_dc_pmp_sqli.rb

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2014-3997

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2014-3997

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2014-3997

EUVD