Share This Post

ManageEngine Products Vulnerable to SQL Injections

ManageEngine Products Vulnerable to SQL Injections

Several ManageEngine products have come under fire for hosting vulnerabilities to SQL Injection. The products affected are: EventLog Analyzer 11.8, Log360 5.3, and Applications Manager 13. Its reported that these products are in use by over half of Fortune 500 companies.

ManageEngine now has security patches available. Even though the company has provided no clear indication about these vulnerabilities on its web site, customers can find a security disclosure on Digital Defense’s web site:

ManageEngine Disclosure #2

DDI-VRT-2018-10 – Unauthenticated File Upload Remote Code Execution via /agentUpload

DDI-VRT-2018-11 – Unauthenticated Blind SQL Injection via /servlet/aam_servercmd

DDI-VRT-2018-12 – Multiple Unauthenticated Blind SQL Injections via /servlet/SyncEventServlet

DDI-VRT-2018-13 – Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet

DDI-VRT-2018-14 – Unauthenticated Blind SQL Injection via /servlet/MenuHandlerServlet

DDI-VRT-2018-15 – Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet


Looking for an awesome, no-nonsense technical conference for IT Pros, Developers, and DevOps? IT/Dev Connections kicks off in Dallas, Texas in 2018!

IT/Dev Connections

Share This Post

Leave a Reply