CVE-2014-6038

HIGH

ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure

Title source: metasploit

Description

Zoho ManageEngine EventLog Analyzer versions 7 through 9.9 build 9002 have a database Information Disclosure Vulnerability. Fixed in EventLog Analyzer 10.0 Build 10000.

Exploits (2)

exploitdb WRITEUP

webappsmultiple

https://www.exploit-db.com/exploits/43893

View on exploitdb

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/eventlog_cred_disclosure.rb

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/128996/ManageEngine-EventLog-Analyzer-SQL-Credential-Disclosure.html

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2014/Nov/12

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/70959

[VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/98540

Scores

CVSS v3 7.5

EPSS 0.8379

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-200

Status published

Affected Products (1)

zohocorp/manageengine_eventlog_analyzer < 9.9

Timeline

Published Jan 13, 2020

Tracked Since Feb 18, 2026