Several ManageEngine products have come under fire for hosting vulnerabilities to SQL Injection. The products affected are: EventLog Analyzer 11.8, Log360 5.3, and Applications Manager 13. Its reported that these products are in use by over half of Fortune 500 companies.
ManageEngine now has security patches available. Even though the company has provided no clear indication about these vulnerabilities on its web site, customers can find a security disclosure on Digital Defense’s web site:
DDI-VRT-2018-10 – Unauthenticated File Upload Remote Code Execution via /agentUpload
DDI-VRT-2018-11 – Unauthenticated Blind SQL Injection via /servlet/aam_servercmd
DDI-VRT-2018-12 – Multiple Unauthenticated Blind SQL Injections via /servlet/SyncEventServlet
DDI-VRT-2018-13 – Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet
DDI-VRT-2018-14 – Unauthenticated Blind SQL Injection via /servlet/MenuHandlerServlet
DDI-VRT-2018-15 – Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet
Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!