An issue was discovered in Zoho ManageEngine Applications Manager 11.0 through 14.0. An unauthenticated user can gain the authority of SYSTEM on the server due to a Popup_SLA.jsp sid SQL injection vulnerability. For example, the attacker can subsequently write arbitrary text to a .vbs file.
CWE-89
CVE-2019-11450
whatsns 4.0 allows index.php?question/ajaxadd.html title SQL injection.
CVE-2019-11451
whatsns 4.0 allows index.php?inform/add.html qid SQL injection.
CVE-2019-11452
whatsns 4.0 allows index.php?admin_category/remove.html cid[] SQL injection.
CVE-2019-11469
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the “Execute Program Action(s)” feature.
CVE-2019-11362
app/controllers/frontend/PostController.php in ROCBOSS V2.2.1 has SQL injection via the Post:doReward score paramter, as demonstrated by the /do/reward/3 URI.
