CVE-2020-15533

Vulnerability

In Zoho ManageEngine Application Manager version 14.7 (Build 14730, before build 14684 and between builds 14689 and 14750), the AlarmEscalation module is vulnerable to an unauthenticated SQL injection attack [2]. The affected versions include builds that are not between 14684 and 14689 or after 14750 [1][3].

Exploitation

An attacker can exploit this vulnerability without any authentication, requiring network access to the vulnerable Application Manager instance [2]. The attack does not require user interaction or any special privileges, enabling a remote attacker to inject arbitrary SQL commands into the AlarmEscalation module's input parameters [2].

Impact

Successful exploitation allows an attacker to read, modify, or delete database content through the injected SQL commands [2]. This can lead to disclosure of sensitive information, corruption of application data, or potential escalation to more severe attacks depending on the database user's privileges [2]. The exact impact on confidentiality, integrity, or availability is not fully detailed in the available references.

Mitigation

According to ManageEngine, the vulnerability is fixed in Application Manager builds 14684-14688 and build 14750 or later [2]. Users should upgrade to build 14750 or later, or ensure they are on a build between 14684 and 14688 inclusive [3]. No workaround is disclosed in the references if immediate patching is not possible [2].