Arbitrary SQL Command Execution in ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and Earlier

Arbitrary SQL Command Execution in ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and Earlier

CVE-2015-7387 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.