CVE-2016-9489

Published: Jul 13, 2018Modified: Nov 21, 2024

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.

Affected (2)

Products: Zohocorp: Manageengine Applications Manager

1 product

Manageengine Applications Manager

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Applications Manager	Version 12.0
Zohocorp Manageengine Applications Manager	Version 13.0

Related CWEs

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (6)

http://seclists.org/fulldisclosure/2017/Apr/9

Source: cret@cert.org

Mailing ListThird Party Advisory

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html

Source: cret@cert.org

Vendor Advisory

https://www.securityfocus.com/bid/97394/

Source: cret@cert.org

Third Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2017/Apr/9

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://www.securityfocus.com/bid/97394/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.