CVE-2020-27995

Vulnerability

Zoho ManageEngine Applications Manager versions before 14560 contain a SQL injection vulnerability in the MyPage.do endpoint. The template_resid parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL commands. The vulnerability is reachable without authentication due to the design of the affected page. [1]

Exploitation

An attacker with network access to the server can send a crafted HTTP request to the MyPage.do endpoint with a malicious value in the template_resid parameter. No authentication or special privileges are required. The injected SQL payload can be leveraged to execute operating system commands on the database server, which in this application architecture can lead to command execution on the application server. [1]

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the server, potentially leading to full compromise of the application and underlying system. This includes data exfiltration, modification, or destruction, as well as lateral movement within the network. The impact is considered critical due to the lack of authentication required and the high privileges achievable. [1]

Mitigation

Zoho has released version 14560 of ManageEngine Applications Manager, which fixes this vulnerability. Users should upgrade to version 14560 or later immediately. No workarounds are available for unpatched versions. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog. [1]