CVE-2016-9489
HIGHManageEngine Applications Manager 12-13 < 13200 - Authenticated Privilege Escalation via User Property Manipulation
Title source: llmDescription
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/Apr/9
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
https://www.securityfocus.com/bid/97394/
Scores
CVSS v3
8.8
EPSS
0.0029
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
CWE-264
CWE-255
Status
published
Products (2)
zohocorp/manageengine_applications_manager
12.0
zohocorp/manageengine_applications_manager
13.0
Published
Jul 13, 2018
Tracked Since
Feb 18, 2026