CVE-2019-15105

{"id": "CVE-2019-15105", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 9.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "authentication": "SINGLE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-08-16T03:15:11.247", "references": [{"url": "http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.exploit-db.com/exploits/47228", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://pentest.com.tr/exploits/DEFCON-ManageEngine-APM-v14-Privilege-Escalation-Remote-Command-Execution.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.exploit-db.com/exploits/47228", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15105.html", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zoho ManageEngine Application Manager through 14.2. There is a SQL Injection vulnerability in jsp/NewThresholdConfiguration.jsp via the resourceid parameter. Therefore, a low-authority user can gain the authority of SYSTEM on the server. One can consequently upload a malicious file using the \"Execute Program Action(s)\" feature."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Zoho ManageEngine Application Manager versiones hasta 14.2. Se presenta una vulnerabilidad de inyecci\u00f3n SQL en el archivo jsp/NewThresholdConfiguration.jsp por medio del par\u00e1metro resourceid. Por lo tanto, un usuario con poca autoridad puede conseguir la autoridad de SYSTEM en el servidor. En consecuencia, se puede cargar un archivo malicioso utilizando la funcionalidad \"Execute Program Action(s)\"."}], "lastModified": "2024-11-21T04:28:03.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF0916CB-CF3C-411C-9C6B-ED9B2CF0336C", "versionEndIncluding": "14.2", "versionStartIncluding": "12.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}