Zoho' ManageEngine business unit has fixed six vulnerabilities in three of its key IT service management products -- including Log360, EventLog Analyzer and Applications Manager, according to information released today.
Digital Defense's Vulnerability Research Team (VRT) uncovered the flaws. Without the new ManageEngine patches, Digital Defense says the flaws could have allowed:
- unauthenticated file upload remote code execution;
- unauthenticated blind SQL injection;
- unauthenticated local file inclusion;
- unauthenticated API key disclosure potentially allowing remote code execution with escalated privileges;
- and sensitive data disclosure resulting in full host compromise.
This is the second time in recent months that ManageEngine has patched key zero day vulnerabilities to its IT service management offerings.
The earlier vulnerabilities, also discovered by Digital Defense, involved ManageEngine's ServiceDesk Plus, ServiceDesk Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer, Digital Defense indicated at the time.
