Web application abuses : ManageEngine OpManager Multiple Vulnerabilities (Feb 2015)

Anfälligkeitssuche		Suche in 219043 CVE Beschreibungen und 99761 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.805473

Kategorie: Web application abuses

Titel: ManageEngine OpManager Multiple Vulnerabilities (Feb 2015) - Active Check

Zusammenfassung: ManageEngine OpManager is prone to multiple vulnerabilities.

Beschreibung: Summary:
ManageEngine OpManager is prone to multiple vulnerabilities.

Vulnerability Insight:
The flaw is due to multiple SQL injection, local file include
and file overwrite vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet.

Vulnerability Impact:
Successful exploitation will allow remote remote attackers and
remote authenticated users to execute arbitrary SQL commands via the customerName or serverRole
parameter in a standbyUpdateInCentral operation or to read/overwrite arbitrary files to
servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Affected Software/OS:
ManageEngine OpManager version 8 through 11.5 build 11400.

Solution:
Update to version 11.6 or install the patch for 11.4 / 11.5.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2014-7864
Bugtraq: 20150128 [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360) (Google Search)
http://www.securityfocus.com/archive/1/534575/100/0/threaded
http://seclists.org/fulldisclosure/2015/Jan/114
http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt
XForce ISS Database: manageengine-cve20147864-sql-injection(100555)
https://exchange.xforce.ibmcloud.com/vulnerabilities/100555

Copyright Copyright (C) 2015 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.805473
Kategorie:	Web application abuses
Titel:	ManageEngine OpManager Multiple Vulnerabilities (Feb 2015) - Active Check
Zusammenfassung:	ManageEngine OpManager is prone to multiple vulnerabilities.
Beschreibung:	Summary: ManageEngine OpManager is prone to multiple vulnerabilities. Vulnerability Insight: The flaw is due to multiple SQL injection, local file include and file overwrite vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet. Vulnerability Impact: Successful exploitation will allow remote remote attackers and remote authenticated users to execute arbitrary SQL commands via the customerName or serverRole parameter in a standbyUpdateInCentral operation or to read/overwrite arbitrary files to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. Affected Software/OS: ManageEngine OpManager version 8 through 11.5 build 11400. Solution: Update to version 11.6 or install the patch for 11.4 / 11.5. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2014-7864 Bugtraq: 20150128 [The ManageOwnage Series, part XII]: Multiple vulnerabilities in FailOverServlet (OpManager, AppManager, IT360) (Google Search) http://www.securityfocus.com/archive/1/534575/100/0/threaded http://seclists.org/fulldisclosure/2015/Jan/114 http://packetstormsecurity.com/files/130162/ManageEngine-File-Download-Content-Disclosure-SQL-Injection.html https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_failservlet.txt XForce ISS Database: manageengine-cve20147864-sql-injection(100555) https://exchange.xforce.ibmcloud.com/vulnerabilities/100555
Copyright	Copyright (C) 2015 Greenbone Networks GmbH