Security advisory for Applications Manager & Applications Manager Plugin users below version 14.3

Security advisory for Applications Manager & Applications Manager Plugin users below version 14.3

This is a security advisory for all ManageEngine Applications Manager and ManageEngine Applications Manager Plugin users below version 14.3. We recommend you to upgrade to the latest version of Applications Manager to avoid the security vulnerability described below.

Severity: 
High

Vulnerabilities:

For Applications Manager users:

Vulnerability type :
SQL Injection/Remote Code Execution

Vulnerability description:
Due to an SQL Injection vulnerability in NewThresholdConfiguration.jsp, a low-authority Applications Manager user could gain admin user authority and execute commands via the "Execute Program Action(s)" feature. This issue has been assigned in  CVE-2019-15105 .


For Applications Manager Plugin users:

Vulnerability types :
SQL Injection/Remote Code Execution
Unauthenticated Remote Command Execution

Vulnerability description:
Due to an SQL Injection vulnerability in NewThresholdConfiguration.jsp, a low-authority Applications Manager Plugin user could gain admin user authority and execute commands via the "Execute Program Action(s)" feature.This issue has been assigned  CVE-2019-15104

An unauthenticated Applications Manager Plugin user could gain access of the system by bypassing the user password requirements and executing commands on the server. This issue has been assigned  CVE-2019-15106 .


Affected versions:

Applications Manager/Applications Manager Plugin 


OpManager users having Applications Manager Plugin


Please note that the versions other than the ones mentioned above remain unaffected by the vulnerability.

 

Solutions:


For Applications Manager/Applications Manager Plugin users:

Download service pack and upgrade to the latest version.  Please read the instructions before you upgrade For further assistance, write to us at appmanager-support@manageengine.com or call us at +1 408 916 9494.


For OpManager users having Applications Manager Plugin:

If you are using OpManager build below version 124047,  download service pack   and upgrade to the latest version.  Please read the instructions before you upgrade.

If you are using OpManager build   between 124050 to 124069, contact 
opmanager-support@manageengine.com  for further details.


References:


We offer our sincere apologies for any inconvenience caused.



        New to M365 Manager Plus?
        New to M365 Manager Plus?
          New to RecoveryManager Plus?
          New to RecoveryManager Plus?
            New to Exchange Reporter Plus?
            New to Exchange Reporter Plus?
              New to SharePoint Manager Plus?
              New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial





                            Related Products