Zoho' ManageEngine business unit has fixed six vulnerabilities in three of its key IT service management products -- including Log360, EventLog Analyzer and Applications Manager, according to information released today.
- unauthenticated file upload remote code execution;
- unauthenticated blind SQL injection;
- unauthenticated local file inclusion;
- unauthenticated API key disclosure potentially allowing remote code execution with escalated privileges;
- and sensitive data disclosure resulting in full host compromise.
This is the second time in recent months that ManageEngine has patched key zero day vulnerabilities to its IT service management offerings.
The earlier vulnerabilities, also discovered by Digital Defense, involved ManageEngine's ServiceDesk Plus, ServiceDesk Plus MSP, OpManager, Firewall Analyzer, Network Configuration Manager, OpUtils and NetFlow Analyzer, Digital Defense indicated at the time.