CVE-2020-16267

Vulnerability

CVE-2020-16267 is an authenticated SQL injection vulnerability in Zoho ManageEngine Applications Manager version 14740 and prior [1][2]. The flaw resides in the RCA (Root Cause Analysis) module, where a crafted JSP request can be used to inject arbitrary SQL commands. Authentication is required to reach the affected code path.

Exploitation

An attacker with valid credentials to the Applications Manager console can send a specially crafted JSP request to the RCA module. The application fails to properly sanitize user-supplied input used in SQL queries, allowing the attacker to execute arbitrary SQL statements. No specific network position beyond authenticated web access is required.

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the backend database. This can lead to disclosure of sensitive data, modification or deletion of database contents, and potentially privilege escalation depending on the database user permissions in the context of the application.

Mitigation

The vulnerability is fixed in build 14750 of the Applications Manager [2][3]; users should upgrade to this build or later. No workaround or patch details for earlier versions are provided; upgrading is the recommended mitigation [2].