CVE-2016-9491

MEDIUM

ManageEngine Applications Manager 12-13 < 13690 - Authenticated XML External Entity Injection

Title source: llm
STIX 2.1

Description

ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.

References (3)

Core 3
Core References
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/Apr/9
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
https://www.securityfocus.com/bid/97394/

Scores

CVSS v3 4.9
EPSS 0.0256
EPSS Percentile 83.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200 CWE-611
Status published
Products (2)
zohocorp/manageengine_applications_manager 12.0
zohocorp/manageengine_applications_manager 13.0
Published Jul 13, 2018
Tracked Since Feb 18, 2026