CVE-2016-9491
MEDIUMManageEngine Applications Manager 12-13 < 13690 - Authenticated XML External Entity Injection
Title source: llmDescription
ManageEngine Applications Manager 12 and 13 before build 13690 allows an authenticated user, who is able to access /register.do page (most likely limited to administrator), to browse the filesystem and read the system files, including Applications Manager configuration, stored private keys, etc. By default Application Manager is running with administrative privileges, therefore it is possible to access every directory on the underlying operating system.
References (3)
Core 3
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2017/Apr/9
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
https://www.securityfocus.com/bid/97394/
Vendor Advisory x_refsource_confirm
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9491.html
Scores
CVSS v3
4.9
EPSS
0.0073
EPSS Percentile
73.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
CWE-200
Status
published
Products (2)
zohocorp/manageengine_applications_manager
12.0
zohocorp/manageengine_applications_manager
13.0
Published
Jul 13, 2018
Tracked Since
Feb 18, 2026