ManageEngine Applications Manager 12 and 13 is vulnerable to privilege escalation due to improper restriction of an XML external entity

CVE-2016-9491

4.9MEDIUM

Key Information

Vendor: Manageengine
Status: Applications Manager
Vendor: CVE Published:; 13 July 2018

Summary

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

Affected Version(s)

Applications Manager = 12

Applications Manager = 13

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 13, 2018
Vulnerability Reserved.
Nov 21, 2016

Collectors

NVD DatabaseMitre Database

Credit

Thanks to Lukasz Juszczyk for reporting this vulnerability.