CVE-2016-9488

Summary

CVE	CVE-2016-9488
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-06-05 14:29:00 UTC
Updated	2020-07-27 21:15:00 UTC
Description	ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Risk And Classification

Problem Types: CWE-89

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Manageengine	Applications Manager	12.0	All	All	All
Application	Manageengine	Applications Manager	13.0	All	All	All
Application	Manageengine	Applications Manager	12.0	All	All	All
Application	Manageengine	Applications Manager	13.0	All	All	All

References

Reference	Source	Link	Tags
ManageEngine Applications Manager 13 SQL Injection ≈ Packet Storm	MISC	packetstormsecurity.com
Full Disclosure: ManageEngine Applications Manager Multiple Vulnerabilities	FULLDISC	seclists.org	Mailing List, Third Party Advisory
Security Updates - CVE Details \| ManageEngine Applications Manager	CONFIRM	www.manageengine.com
ManageEngine Applications Manager Multiple Security Vulnerabilities	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
ManageEngine Applications Manager 12 / 13 XSS / SQL Injection / Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com	Third Party Advisory, VDB Entry
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.