ManageEngine Applications Manager versions 12 and 13 suffer from a Reflected Cross-Site Scripting vulnerability
CVE-2016-9490

6.1MEDIUM

Key Information:

Vendor

Manageengine
Status
Applications Manager
Vendor
CVE Published:
5 June 2018

What is CVE-2016-9490?

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from a Reflected Cross-Site Scripting vulnerability. Applications Manager is prone to a Cross-Site Scripting vulnerability in parameter LIMIT, in URL path /DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233. The URL is also available without authentication.

Affected Version(s)

Applications Manager 12

Applications Manager 13

References

http://seclists.org/fulldisclosure/2017/Apr/9
mailing-listx_refsource_FULLDISC
https://packetstormsecurity.com/files/142022/ManageEngine...
x_refsource_MISC
https://www.manageengine.com/products/applications_manage...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.