CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2016-9488

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.057

EPSS Ranking 89.9%

CVSS Severity

CVSS v3 Score 9.8

CVSS v2 Score 7.5

References

http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html
http://seclists.org/fulldisclosure/2017/Apr/9
http://www.securityfocus.com/bid/97394
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html
http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html
http://seclists.org/fulldisclosure/2017/Apr/9
http://www.securityfocus.com/bid/97394
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html

Products affected by CVE-2016-9488

Manageengine » Applications Manager » Version: 12.0

cpe:2.3:a:manageengine:applications_manager:12.0
Manageengine » Applications Manager » Version: 13.0

cpe:2.3:a:manageengine:applications_manager:13.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2016-9488

Products

Pricing

Contact Us