CVE-2020-27733

Vulnerability

An SQL injection vulnerability exists in Zoho ManageEngine Applications Manager prior to version 14 build 14880. The flaw is triggered via a specially crafted Alarmview request, which is accessible to authenticated users. No additional configuration is required beyond default settings. [1][2]

Exploitation

An attacker must first obtain a valid authenticated session for the Applications Manager web interface. Once authenticated, the attacker sends a malicious Alarmview request containing SQL metacharacters in a parameter. The injection allows the attacker to manipulate the underlying SQL query executed by the application. [1]

Impact

Successful exploitation enables the attacker to read, modify, or delete arbitrary data from the backend database, potentially exposing sensitive information such as application credentials, user data, or system configuration. The attacker operates within the context of the application's database user. [1]

Mitigation

The vulnerability is fixed in ManageEngine Applications Manager version 14 build 14880, released by the vendor on an unknown date. Users should upgrade to this build or later. No workarounds are documented, and this CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing. [1][2]