Blog
01.27.2021

CVE-2020-27733: Zoho Manage Engine - SQL injection

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

Zoho ManageEngine Applications Manager before 14 build 14880 allows an authenticated SQL Injection via a crafted Alarmview request.

CVE-2020-27733: Zoho Manage Engine (SQL Injection). Virsec Risk Index: 77%

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 8.8 high as per NVD. CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

1.3        Affected Version

Zoho ManageEngine Applications Manager before 14 build 14880.

1.4        Vulnerability Attribution

This vulnerability is disclosed by MITRE.

1.5        Risk Impact

ManageEngine, a division of Zoho Corporation makes enterprise IT management software for IT administrators and IT managers working in small, medium, and large enterprises. 38% of the large companies use Manage Engine for their IT management.

Distribution of Companies

Any exploit of this vulnerabilities could lead to exposure of all sensitive data that resides in the database, including all employee sensitive information.

1.6        Virsec Security Platform (VSP) Support:

VSP-Web capability can detect such a SQL injection attack and prevent this attack from being exploited.

1.7        Reference Links:

 

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.