Posted by Pedro Ribeiro on Nov 09

Hi,

This is the 8th part of the ManageOwnage series. For previous parts see [1].

This time we have a file upload leading to remote code execution and a
blind SQL injection in ManageEngine OpManager, Social IT Plus and
IT360.
ManageEngine have released an emergency fix, see details in the
advisory below. The proper fixed version will be 11.5, which will come
out at the end of the year.

I had already released a Metasploit exploit for RCE back in…