An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.
CPE | Name | Operator | Version |
---|---|---|---|
manageengine_applications_manager | ge | 11.0 | |
manageengine_applications_manager | le | 14.0 |