Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2016-9489


In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.


Published

2018-07-13T20:29:01.550

Last Modified

2024-11-21T03:01:18.870

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.8 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

  • Access Vector: NETWORK
  • Access Complexity: LOW
  • Authentication: SINGLE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: NONE
  • Availability Impact: NONE
Exploitability Score

8.0

Impact Score

2.9

Weaknesses
  • Type: Secondary
    CWE-269
  • Type: Primary
    CWE-255
    CWE-264

Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application zohocorp manageengine_applications_manager 12.0 Yes
Application zohocorp manageengine_applications_manager 13.0 Yes

References