CVE-2020-28679

HIGH

Zoho ManageEngine Applications Manager < 14550 - Authenticated SQL Injection via showReports Module

Title source: llm

Description

A vulnerability in the showReports module of Zoho ManageEngine Applications Manager before build 14550 allows authenticated attackers to execute a SQL injection via a crafted request.

References (1)

Core 1

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.manageengine.com/products/applications_manager/issues.html#v14550

Scores

CVSS v3 8.8

EPSS 0.0291

EPSS Percentile 86.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (25)

zohocorp/manageengine_applications_manager 11.0 build11010 (5 CPE variants)

zohocorp/manageengine_applications_manager 11.1 build11110

zohocorp/manageengine_applications_manager 11.2 build11200 (3 CPE variants)

zohocorp/manageengine_applications_manager 11.3 build11300

zohocorp/manageengine_applications_manager 11.4 build11410

zohocorp/manageengine_applications_manager 11.5 build11520

zohocorp/manageengine_applications_manager 11.6 build11610

zohocorp/manageengine_applications_manager 11.7 build11700

zohocorp/manageengine_applications_manager 11.8 build11800

zohocorp/manageengine_applications_manager 11.9 build11900 (2 CPE variants)

... and 15 more

Published Jan 10, 2022

Tracked Since Feb 18, 2026