Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-9488

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Published

2018-06-05T14:29:00.207

Last Modified

2024-11-21T03:01:18.727

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-89
Type: Primary
CWE-89

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	manageengine	applications_manager	12.0	Yes
Application	manageengine	applications_manager	13.0	Yes

References

http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html ([email protected])
http://seclists.org/fulldisclosure/2017/Apr/9 Mailing List, Third Party Advisory ([email protected])
http://www.securityfocus.com/bid/97394 Third Party Advisory, VDB Entry ([email protected])
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html Third Party Advisory, VDB Entry ([email protected])
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html ([email protected])
http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2017/Apr/9 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/97394 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html (af854a3a-2127-422b-91ae-364da2661108)