Posted by Pedro Ribeiro on Jan 28

Hi,

This is part 12 of the ManageOwnage series. For previous parts, see [1].

This time we have an arbitrary file download, directory content
disclosure and blind SQL injection vulnerabilities in ManageEngine
OpManager, Applications Manager and IT360.

I’ve pushed two new Metasploit modules into the framework that exploit
the file download and the content disclosure [2], these should
hopefully be accepted soon.
The full advisory text is…