This is a security advisory for all ManageEngine Applications Manager users below build number 14685 ('Support' tab -> Install Information -> Build Number). We recommend you to upgrade to the latest version of Applications Manager to avoid the security vulnerabilities described below.
Severity: Critical
Affected versions: Below 14684
Please note that the versions other than the ones mentioned above remain unaffected by the vulnerability.
Issue reported: Unauthorized access by bypassing the authentication mechanism.
Vulnerabilities:
Vulnerability type: SQL Injection
Vulnerability description: Applications Manager could be accessed by unauthorized users due to the following SQL injection vulnerabilities:
1. Unauthenticated Remote Code Execution via SQL injection in REST API module.
2. Unauthenticated SQL Injection in Alarm Escalation module.
These issues have been addressed in CVE-2020-15394 and CVE-2020-15533