Zoho ManageEngine Applications Manager '/auditLogAction.do' Module SQL Injection Vulnerability

Zoho ManageEngine Applications Manager is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
An attacker may leverage this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ManageEngine Applications Manager 13.1 Build 13100 is vulnerable; other versions may also be affected.

Information

Bugtraq ID: 108470
Class: Input Validation Error
CVE: CVE-2017-11738

Remote: Yes
Local: No
Published: Aug 09 2019 12:00AM
Updated: Aug 09 2019 12:00AM
Credit: Elvin Hayes Gentiles of Trustwave SpiderLabs
Vulnerable: Zoho ManageEngine Applications Manager 13.1 Build 13100

Not Vulnerable:

Exploit

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

References:

• ManageEngine Applications Manager Homepage (Zoho)
  
• Trustwave SpiderLabs Security Advisory TWSL2017-015 (Trustwave)
  

Source: www.securityfocus.com