Arbitrary SQL Command Execution in ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and Earlier
CVE-2015-7387 · HIGH Severity
AV:N/AC:L/AU:N/C:P/I:P/A:P
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
Learn more about our Cis Benchmark Audit For Microsoft Sql Server.