This site is deprecated. Please
CLICK HERE for latest updates
Short Name |
HTTP:CTS-CVE-2018-7890-CMD-INJ
|
Severity |
Major
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Zoho ManageEngine Application Manager Command Injection
|
Release Date |
2018/06/19
|
Update Number |
3075
|
Supported Platforms |
idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+
|
HTTP: Zoho ManageEngine Application Manager Command Injection
This signature detects attempts to exploit a known vulnerability against Zoho Manage Engine. Successful exploitation can result in remote command execution conditions.
Extended Description
A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
Affected Products
- Zohocorp manageengine_applications_manager 11.0
- Zohocorp manageengine_applications_manager 11.1
- Zohocorp manageengine_applications_manager 11.2
- Zohocorp manageengine_applications_manager 11.3
- Zohocorp manageengine_applications_manager 11.4
- Zohocorp manageengine_applications_manager 11.5
- Zohocorp manageengine_applications_manager 11.6
- Zohocorp manageengine_applications_manager 11.7
- Zohocorp manageengine_applications_manager 11.8
- Zohocorp manageengine_applications_manager 11.9
- Zohocorp manageengine_applications_manager 12.0
- Zohocorp manageengine_applications_manager 12.1
- Zohocorp manageengine_applications_manager 12.2
- Zohocorp manageengine_applications_manager 12.3
- Zohocorp manageengine_applications_manager 12.4
- Zohocorp manageengine_applications_manager 12.5
- Zohocorp manageengine_applications_manager 12.6
- Zohocorp manageengine_applications_manager 12.7
- Zohocorp manageengine_applications_manager 12.8
- Zohocorp manageengine_applications_manager 12.9
- Zohocorp manageengine_applications_manager 13.0
- Zohocorp manageengine_applications_manager 13.1
- Zohocorp manageengine_applications_manager 13.2
- Zohocorp manageengine_applications_manager 13.3
- Zohocorp manageengine_applications_manager 13.4
- Zohocorp manageengine_applications_manager 13.5
References