CVE-2019-11469

CRITICAL

Zoho ManageEngine Apps Mgr <15 - SQL Injection

Title source: llm

Description

Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.

Exploits (1)

exploitdb WORKING POC
by AkkuS · rubyremotemultiple
https://www.exploit-db.com/exploits/46740

References (5)

Scores

CVSS v3 9.8
EPSS 0.0507
EPSS Percentile 89.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zohocorp/manageengine_applications_manager 12.0 - 14.0
Published Apr 23, 2019
Tracked Since Feb 18, 2026