A remote code execution issue was discovered in Zoho ManageEngine Applications Manager before 13.6 (build 13640). The publicly accessible testCredential.do endpoint takes multiple user inputs and validates supplied credentials by accessing a specified system. This endpoint calls several internal classes, and then executes a PowerShell script. If the specified system is OfficeSharePointServer, then the username and password parameters to this script are not validated, leading to Command Injection.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2024-08-05T06:37:59.625Z

Reserved: 2018-03-08T00:00:00

Link: CVE-2018-7890

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-03-08T22:29:00.233

Modified: 2024-11-21T04:12:55.917

Link: CVE-2018-7890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.