Vulnerability Details : CVE-2020-15394
The REST API in Zoho ManageEngine Applications Manager before build 14740 allows an unauthenticated SQL Injection via a crafted request, leading to Remote Code Execution.
Vulnerability category: Sql InjectionExecute code
Products affected by CVE-2020-15394
- cpe:2.3:a:zohocorp:manageengine_applications_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:-:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14000:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14010:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14020:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14030:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14040:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14050:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14060:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14070:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14071:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14072:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14073:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14080:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14090:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14100:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14110:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14120:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14130:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14140:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14150:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14160:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14170:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14180:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14190:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14200:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14210:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14220:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14230:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14240:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14250:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14260:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14261:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14262:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14270:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14280:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14290:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14300:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14310:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14330:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14331:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14332:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14340:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14350:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14360:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14361:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14370:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14380:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14390:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14400:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14401:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14410:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14420:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14430:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14440:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14450:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14460:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14470:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14480:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14490:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14500:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14510:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14520:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14530:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14531:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14532:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14533:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14540:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14550:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14560:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14570:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14580:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14590:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14600:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14610:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14620:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14630:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14660:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14670:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14681:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14682:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14683:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14684:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14685:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14690:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14700:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14710:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14720:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_applications_manager:14.0:build14730:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-15394
0.68%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-15394
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2020-15394
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-15394
-
https://www.manageengine.com
ManageEngine - IT Operations and Service Management SoftwareProduct
-
https://www.manageengine.com/products/applications_manager/issues.html#v14740
List of bug fixes and feature enhancements - ManageEngine Applications ManagerVendor Advisory
-
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2020-15394.html
Security Updates - CVE Details - CVE-2020-15394 | ManageEngine Applications ManagerVendor Advisory
Jump to