Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2016-9488

CWE-89SQL Injection4 documents4 sources
Severity
9.8CRITICAL
EPSS
4.4%
top 10.99%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Manageengine Applications Manager
Timeline
PublishedJun 5
Latest updateMay 13

Description

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-chxq-hg75-w349: ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities2022-05-13
CVEList
ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities2018-06-05

💥Exploits & PoCs

1
Exploit-DB
ManageEngine Applications Manager 13 - 'MenuHandlerServlet' SQL Injection2020-07-26
CVE-2016-9488 (CRITICAL CVSS 9.8) | ManageEngine Applications Manager v | cvebase.io