CVE-2020-15927

Vulnerability

Zoho ManageEngine Applications Manager version 14740 and prior contains a SQL injection vulnerability in the SAP module. An authenticated attacker can send a crafted jsp request to the affected endpoint, leading to arbitrary SQL execution. The vulnerability resides in improper input sanitization of parameters passed to the SAP module's database queries [2][3].

Exploitation

To exploit this vulnerability, an attacker must have valid authentication credentials for the Applications Manager web interface. The attacker crafts a malicious jsp request targeting the SAP module, injecting SQL commands into one or more parameters. No further user interaction is required; the attack is executed against the vulnerable server directly [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries on the underlying database. This can lead to unauthorized reading, modification, or deletion of sensitive data, including configuration information, user credentials, and application logs. Depending on the database privileges, the attacker may also escalate to administrative access or compromise other connected systems [2][3].

Mitigation

The vulnerability is fixed in ManageEngine Applications Manager version 14750, released on 2020-10-06. Users should upgrade to version 14750 or later immediately. No workarounds are documented; the vendor recommends applying the security update as soon as possible [2][3].