Vulnerability Details : CVE-2014-6043
Potential exploit
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
Products affected by CVE-2014-6043
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:9.0:9002:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_eventlog_analyzer:8.2:8020:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-6043
5.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-6043
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST |
CWE ids for CVE-2014-6043
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-6043
-
http://www.securityfocus.com/bid/69482
ManageEngine EventLog Analyzer Multiple Security VulnerabilitiesExploit
-
http://www.exploit-db.com/exploits/34519
ManageEngine EventLog Analyzer - Multiple Vulnerabilities (1) - JSP webapps ExploitExploit
-
http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html
ManageEngine EventLog Analyzer 9.9 Authorization / Code Execution ≈ Packet StormExploit
-
http://seclists.org/fulldisclosure/2014/Aug/86
Full Disclosure: Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple VulnerabilitiesExploit;US Government Resource
-
http://seclists.org/fulldisclosure/2014/Sep/19
Full Disclosure: Re: Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple VulnerabilitiesExploit
-
https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt
Exploit
Jump to