9.8

CVE-2020-15533

In Zoho ManageEngine Application Manager 14.7 Build 14730 (before 14684, and between 14689 and 14750), the AlarmEscalation module is vulnerable to unauthenticated SQL Injection attack.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ZohocorpManageengine Applications Manager Version14.6 Updatebuild14680
ZohocorpManageengine Applications Manager Version14.6 Updatebuild14681
ZohocorpManageengine Applications Manager Version14.6 Updatebuild14682
ZohocorpManageengine Applications Manager Version14.6 Updatebuild14683
ZohocorpManageengine Applications Manager Version14.6 Updatebuild14690
ZohocorpManageengine Applications Manager Version14.7 Updatebuild14700
ZohocorpManageengine Applications Manager Version14.7 Updatebuild14710
ZohocorpManageengine Applications Manager Version14.7 Updatebuild14720
ZohocorpManageengine Applications Manager Version14.7 Updatebuild14730
ZohocorpManageengine Applications Manager Version14.7 Updatebuild14740
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 11.45% 0.929
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.