Vulnerability Description
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zohocorp | Manageengine Applications Manager | 12.0 |
Related Weaknesses (CWE)
References
- http://seclists.org/fulldisclosure/2017/Apr/9Mailing ListThird Party Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
- https://www.securityfocus.com/bid/97394/Third Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2017/Apr/9Mailing ListThird Party Advisory
- https://www.manageengine.com/products/applications_manager/security-updates/secuVendor Advisory
- https://www.securityfocus.com/bid/97394/Third Party AdvisoryVDB Entry
FAQ
What is CVE-2016-9491?
CVE-2016-9491 is a vulnerability with a CVSS score of 4.9 (MEDIUM). ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem an...
How severe is CVE-2016-9491?
CVE-2016-9491 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-9491?
Check the references section above for vendor advisories and patch information. Affected products include: Zohocorp Manageengine Applications Manager.