Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveCertccCVE-2016-9491
HistoryJul 13, 2018 - 8:29 p.m.

CVE-2016-9491

2018-07-1320:29:01
CWE-200
CWE-611
certcc
web.nvd.nist.gov
31
manageengine
applications manager
cve-2016-9491
information security
filesystem
configuration
vulnerability

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

44.9%

JSON

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

Affected configurations

Nvd
Node
zohocorpmanageengine_applications_managerMatch12.0
OR
zohocorpmanageengine_applications_managerMatch13.0
VendorProductVersionCPE
zohocorpmanageengine_applications_manager12.0cpe:2.3:a:zohocorp:manageengine_applications_manager:12.0:*:*:*:*:*:*:*
zohocorpmanageengine_applications_manager13.0cpe:2.3:a:zohocorp:manageengine_applications_manager:13.0:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Applications Manager",
    "vendor": "ManageEngine",
    "versions": [
      {
        "status": "affected",
        "version": "12"
      },
      {
        "status": "affected",
        "version": "13"
      }
    ]
  }
]

Related

cvelist 1
prion 1
nvd 1
cvelist
cvelist
CVE-2016-9491 ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation due to improper restriction of an XML external entity
2018-07-13 20:00:00
prion
prion
Design/Logic Flaw
2018-07-13 20:29:00
nvd
nvd
CVE-2016-9491
2018-07-13 20:29:01

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

4.9

Confidence

High

EPSS

0.001

Percentile

44.9%

JSON
Related for CVE-2016-9491
cvelist1prion1nvd1