CVE-2019-15106

Опубликовано: 16 авг. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Средний

Описание

An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.

Ссылки

http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/47229
Exploit
Third Party Advisory
VDB Entry
https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html
http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
Exploit
Third Party Advisory
https://www.exploit-db.com/exploits/47229
Exploit
Third Party Advisory
VDB Entry
https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:zohocorp:manageengine_opmanager:*:*:*:*:*:*:*:*

Версия до 12.4.034 (включая)

EPSS

Процентиль: 97%

0.3724

Средний

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-306

Связанные уязвимости

GHSA-783q-f465-8jv7

github

больше 3 лет назад

An issue was discovered in Zoho ManageEngine OpManager through 12.4x. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.