First published: Fri Jul 13 2018(Updated: )
In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
Credit: cret@cert.org
Affected Software | Affected Version | How to fix |
---|---|---|
Zohocorp ManageEngine Applications Manager | =12.0 | |
Zohocorp ManageEngine Applications Manager | =13.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2016-9489 is a vulnerability in ManageEngine Applications Manager 12 and 13 that allows an authenticated user to alter their own properties and the properties of other users, potentially granting higher privileges.
CVE-2016-9489 has a severity rating of 8.8 (high).
An attacker with authenticated access can exploit CVE-2016-9489 by changing their group to one with higher privileges, such as 'ADMIN', or by changing the properties of another user.
Yes, a fix for CVE-2016-9489 is available in build 13200 of ManageEngine Applications Manager 12 and 13.
You can find more information about CVE-2016-9489 on the seclists.org, manageengine.com, and securityfocus.com websites.