{"id":4448,"date":"2018-02-04T15:22:35","date_gmt":"2018-02-04T09:52:35","guid":{"rendered":"https:\/\/qadit.com\/blog\/?p=4448"},"modified":"2018-02-04T15:22:35","modified_gmt":"2018-02-04T09:52:35","slug":"multiple-zero-day-vulnerabilities-found-in-manageengine-products","status":"publish","type":"post","link":"https:\/\/qadit.com\/blog\/multiple-zero-day-vulnerabilities-found-in-manageengine-products\/","title":{"rendered":"Multiple zero-day vulnerabilities found in ManageEngine products"},"content":{"rendered":"<div>\n<div class=\"entry-content\">\n<p>Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.helpnetsecurity.com\/images\/posts2018\/netflow_patch.jpg\" class=\"aligncenter\" alt=\"ManageEngine vulnerabilities\" title=\"Patch\" \/><\/p>\n<p>ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company.<\/p>\n<h3>Vulnerability impact<\/h3>\n<p>The discovered vulnerabilities allow unauthenticated file upload, blind SQL injection, authenticated remote code execution and user enumeration, potentially revealing sensitive information or full compromise of the application.<\/p>\n<p>Affected applications include: ServiceDesk Plus, Service Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer.<\/p>\n<p>Summary:<\/p>\n<ul>\n<li><strong>DDI-VRT-2018-01<\/strong> \u2013 Unauthenticated File Upload via \/servlets\/CmClientUtilServlet<\/li>\n<li><strong>DDI-VRT-2018-02<\/strong> \u2013 Unauthenticated Blind SQL Injection via \/servlets\/RegisterAgent<\/li>\n<li><strong>DDI-VRT-2018-03<\/strong> \u2013 Unauthenticated Blind SQL Injection via \/servlets\/StatusUpdateServlet and \/servlets\/AgentActionServlet<\/li>\n<li><strong>DDI-VRT-2018-04<\/strong> \u2013 Multiple Unauthenticated Blind SQL Injections via \/embedWidget<\/li>\n<li><strong>DDI-VRT-2018-05<\/strong> \u2013 Unauthenticated XML External Entity Injection via \/SNMPDiscoveryURL<\/li>\n<li><strong>DDI-VRT-2018-06<\/strong> \u2013 Unauthenticated Blind SQL Injection via \/unauthenticatedservlets\/ELARequestHandler and \/unauthenticatedservlets\/NPMRequestHandler<\/li>\n<li><strong>DDI-VRT-2018-07<\/strong> \u2013 User Enumeration via \/servlets\/ConfServlet.<\/li>\n<\/ul>\n<h3>What you can do<\/h3>\n<p>Zoho ManageEngine has addressed the vulnerabilities and is making patches available for each of the affected applications.<\/p>\n<p class=\"hnst-tag-specific-content\">\n<\/p><\/div>\n<\/p><\/div>\n<p><b>Read the Full Article here: <a href=\"https:\/\/www.helpnetsecurity.com\">&gt;Help Net Security &#8211; News<\/a><\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Digital Defense uncovered multiple, previously undisclosed vulnerabilities within several Zoho ManageEngine products. ManageEngine offers more than 90 tools to help manage IT operations, including networks, servers, applications, service desk, Active Directory, security, desktops, and mobile devices. Currently, the company claims to have more than 40,000 customers, including three out of every five Fortune 500 company. &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/qadit.com\/blog\/multiple-zero-day-vulnerabilities-found-in-manageengine-products\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Multiple zero-day vulnerabilities found in ManageEngine products&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[12],"tags":[293],"class_list":["post-4448","post","type-post","status-publish","format-standard","hentry","category-itsec","tag-wonder-information"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9AH7Q-19K","_links":{"self":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4448","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/comments?post=4448"}],"version-history":[{"count":1,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4448\/revisions"}],"predecessor-version":[{"id":4449,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/posts\/4448\/revisions\/4449"}],"wp:attachment":[{"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/media?parent=4448"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/categories?post=4448"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/qadit.com\/blog\/wp-json\/wp\/v2\/tags?post=4448"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}