Vulnerability Details CVE-2019-15106
An issue was discovered in Zoho ManageEngine OpManager in builds before 14310. One can bypass the user password requirement and execute commands on the server. The "username+'@opm' string is used for the password. For example, if the username is admin, the password is admin@opm.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.372
EPSS Ranking 97.0%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
- https://www.exploit-db.com/exploits/47229
- https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html
- http://pentest.com.tr/exploits/DEFCON-ManageEngine-OpManager-v12-4-Unauthenticated-Remote-Command-Execution.html
- https://www.exploit-db.com/exploits/47229
- https://www.manageengine.com/network-monitoring/security-updates/cve-2019-15106.html
- https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2019-15106.html
Products affected by CVE-2019-15106
-
cpe:2.3:a:zohocorp:manageengine_opmanager:-
-
cpe:2.3:a:zohocorp:manageengine_opmanager:11.4
-
cpe:2.3:a:zohocorp:manageengine_opmanager:11.5
-
cpe:2.3:a:zohocorp:manageengine_opmanager:12.2
-
cpe:2.3:a:zohocorp:manageengine_opmanager:12.3
-
cpe:2.3:a:zohocorp:manageengine_opmanager:12.4
-
cpe:2.3:a:zohocorp:manageengine_opmanager:8