PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by “INSERT/**/INTO.”
CPE | Name | Operator | Version |
---|---|---|---|
manageengine_opmanager | le | 11.5 | |
manageengine_opmanager | eq | 11.6 |
packetstormsecurity.com/files/133596/ManageEngine-OpManager-Remote-Code-Execution.html
seclists.org/fulldisclosure/2015/Sep/66
www.rapid7.com/db/modules/exploit/windows/http/manage_engine_opmanager_rce
support.zoho.com/portal/manageengine/helpcenter/articles/pgsql-submitquery-do-vulnerability
www.exploit-db.com/exploits/38221/