CVE-2017-16850 : What You Need to Know

Zoho ManageEngine Applications Manager 13 before build 13530 allows SQL injection via the /showresource.do resourceid parameter in a getResourceProfiles action.

Understanding CVE-2017-16850

The getResourceProfiles action in Zoho ManageEngine Applications Manager 13, prior to build 13530, allows for SQL injection via the resourceid parameter in the /showresource.do resource.

What is CVE-2017-16850?

The vulnerability in Zoho ManageEngine Applications Manager 13 enables SQL injection through a specific parameter, potentially leading to unauthorized access or data manipulation.

The Impact of CVE-2017-16850

This vulnerability could be exploited by attackers to execute arbitrary SQL commands, compromising the integrity and confidentiality of the application's data.

Technical Details of CVE-2017-16850

Zoho ManageEngine Applications Manager 13 before build 13530 is susceptible to SQL injection attacks.

Vulnerability Description

The getResourceProfiles action in Zoho ManageEngine Applications Manager 13 allows SQL injection via the resourceid parameter in the /showresource.do resource.

Affected Systems and Versions

Product: Zoho ManageEngine Applications Manager 13
Versions: All versions before build 13530

Exploitation Mechanism

Attackers can exploit this vulnerability by injecting malicious SQL commands through the resourceid parameter in the /showresource.do resource.

Mitigation and Prevention

To address CVE-2017-16850, follow these steps:

Immediate Steps to Take

Update Zoho ManageEngine Applications Manager to build 13530 or later.
Implement input validation mechanisms to sanitize user inputs and prevent SQL injection attacks.

Long-Term Security Practices

Regularly monitor and audit application logs for any suspicious activities.
Conduct security assessments and penetration testing to identify and remediate vulnerabilities.

Patching and Updates

Stay informed about security updates and patches released by Zoho ManageEngine.