Description
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
Exploits (1)
exploitdb
WORKING POC
by Hans-Martin Muench · textwebappsjsp
https://www.exploit-db.com/exploits/34519
References (6)
Core 6
Core References
Exploit x_refsource_misc
http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/34519
Exploit, US Government Resource mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Aug/86
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Sep/19
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/69482
Exploit x_refsource_misc
https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt
Scores
EPSS
0.0485
EPSS Percentile
89.6%
Details
CWE
CWE-264
Status
published
Products (2)
zohocorp/manageengine_eventlog_analyzer
8.2 8020
zohocorp/manageengine_eventlog_analyzer
9.0 9002
Published
Sep 11, 2014
Tracked Since
Feb 18, 2026