CVE-2020-15533

EPSS 4.2%
Veröffentlicht 01.10.2020 19:15:12
Zuletzt bearbeitet 21.11.2024 05:05:42
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 13 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Applications Manager Version < 14.6

Zohocorp ≫ Manageengine Applications Manager Version14.6 Update-

Zohocorp ≫ Manageengine Applications Manager Version14.6 Updatebuild14680

Zohocorp ≫ Manageengine Applications Manager Version14.6 Updatebuild14681

Zohocorp ≫ Manageengine Applications Manager Version14.6 Updatebuild14682

Zohocorp ≫ Manageengine Applications Manager Version14.6 Updatebuild14683

Zohocorp ≫ Manageengine Applications Manager Version14.6 Updatebuild14690

Zohocorp ≫ Manageengine Applications Manager Version14.7 Update-

Zohocorp ≫ Manageengine Applications Manager Version14.7 Updatebuild14700

Zohocorp ≫ Manageengine Applications Manager Version14.7 Updatebuild14710

Zohocorp ≫ Manageengine Applications Manager Version14.7 Updatebuild14720

Zohocorp ≫ Manageengine Applications Manager Version14.7 Updatebuild14730

Zohocorp ≫ Manageengine Applications Manager Version14.7 Updatebuild14740

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	4.2%	0.897

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://www.manageengine.com

Vendor Advisory

https://www.manageengine.com/products/applications_manager/issues.html#v14750

Vendor Advisory

Release Notes

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-15533.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-15533

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-15533

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-15533

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-15533