ManageEngine Applications Manager versions 12 and 13 suffer from remote SQL injection vulnerabilities

CVE-2016-9488

9.8CRITICAL

Key Information

Vendor: Manageengine
Status: Applications Manager
Vendor: CVE Published:; 5 June 2018

Summary

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Affected Version(s)

Applications Manager = 12

Applications Manager = 13

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jun 5, 2018
Vulnerability Reserved.
Nov 21, 2016

Collectors

NVD DatabaseMitre Database