CVE-2014-6043

ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.

Published: Sep 11, 2014
Updated: Apr 13, 2023
CVE: CVE-2014-6043
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-264

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_eventlog_analyzer	9.0-9002	9.0-9002.x
zohocorp / manageengine_eventlog_analyzer	8.2-8020	8.2-8020.x

http://packetstormsecurity.com/files/128102/ManageEngine-EventLog-Analyzer-9.9-Authorization-Code-Execution.html
http://seclists.org/fulldisclosure/2014/Aug/86
http://seclists.org/fulldisclosure/2014/Sep/19
http://www.exploit-db.com/exploits/34519
http://www.securityfocus.com/bid/69482
https://www.mogwaisecurity.de/advisories/MSA-2014-01.txt

Vulnerability Database

289,784

CVE-2014-6043