Description
Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
Exploits (2)
References (6)
Core 6
Core References
Exploit vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/71002
Exploit mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2014/Nov/21
Exploit x_refsource_misc
https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/533946/100/0/threaded
Exploit, Patch x_refsource_confirm
https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix
Scores
EPSS
0.6968
EPSS Percentile
98.7%
Details
CWE
CWE-89
Status
published
Products (5)
zohocorp/manageengine_it360
10.3.0
zohocorp/manageengine_it360
10.4
zohocorp/manageengine_opmanager
11.3
zohocorp/manageengine_opmanager
11.4
zohocorp/manageengine_social_it_plus
11.0
Published
Dec 04, 2014
Tracked Since
Feb 18, 2026