SQL Injection in Zohocorp Manageengine_it360

CVE-2014-3997

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP)…

Vulnerability class: SQL Injection

EPSS: 0.013 (80.0th percentile) — read the EPSS interpretation.

Affected products

Zohocorp Manageengine_it360
Zohocorp Manageengine_password_manager_pro — versions 5.0, 5.1, 5.2
N/a — versions n/a

Weakness classification (CWE)

CWE-89 — SQL Injection

References

20140819 [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included) (mailing-list, Exploit, x_refsource_FULLDISC, Mailing List, Third Party Advisory)
cve@mitre.org (Exploit, x_refsource_MISC)
cve@mitre.org (Exploit, x_refsource_MISC)
20140830 Re: [The ManageOwnage Series, part I]: blind SQL injection in two servlets (metasploit module included) (mailing-list, Exploit, x_refsource_FULLDISC, Mailing List, Third Party Advisory)