Zoho ManageEngine Applications Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ManageEngine Applications Manager 13.1 Build 13100 is vulnerable; other versions may also be affected.

Information

Bugtraq ID: 108470

Class: Input Validation Error

CVE: CVE-2017-11738

Remote: Yes

Local: No

Published: Aug 09 2019 12:00AM

Updated: Aug 09 2019 12:00AM

Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs

Vulnerable: Zoho ManageEngine Applications Manager 13.1 Build 13100

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

Source