CVE-2016-9491

CWE-611 — XML External Entity (XXE)CWE-200 — Information Exposure3 documents3 sources

Severity

4.9MEDIUM

EPSS

0.7%

top 27.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manageengine Applications Manager Zohocorp Manageengine Applications Manager

Timeline

PublishedJul 13

Latest updateMay 13

Description

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5manageengine/applications_manager12, 13+1

▶NVDzohocorp/manageengine_applications_manager12.0, 13.0+1

🔴Vulnerability Details

GHSA

GHSA-9f95-rp9g-wg85: ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register↗2022-05-13

▶

CVEList

ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation due to improper restriction of an XML external entity↗2018-07-13

▶