|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-11-26 | |
| Rule Name: | Zoho ManageEngine OpManager RelationalMailServer addMailServerSettings SQL Injection Vulnerability -1 (CVE-2018-18949) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | Zoho ManageEngine OpManager up to 12.3 has SQL Injection via Mail Server settings. This vulnerability is due to insufficient validation of the mailservername and fromemailid parameters when processing requests sent to RelationalMailServer. | |
| Impact: | A remote, authenticated attacker could exploit this vulnerability by sending a web request with a malicious SQL query to the target server. Successful exploitation could lead to arbitrary code execution in the security context of database service. | |
| Affected OS: | Network Device, Solaris, FreeBSD, Windows, Mac OS, iOS, Other Unix, Linux, Others, Android | |
| Reference: | https://www.manageengine.com/network-monitoring/help/read-me.html |
|
| Solutions |
|---|
| Upgrading to version 12.3 eliminates this vulnerability. |