CVE-2016-9488

Опубликовано: 05 июн. 2018

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.

Ссылки

http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html
http://seclists.org/fulldisclosure/2017/Apr/9
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/97394
Third Party Advisory
VDB Entry
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html
Third Party Advisory
VDB Entry
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html
http://packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.html
http://seclists.org/fulldisclosure/2017/Apr/9
Mailing List
Third Party Advisory
http://www.securityfocus.com/bid/97394
Third Party Advisory
VDB Entry
https://packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.html
Third Party Advisory
VDB Entry
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.html

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:manageengine:applications_manager:12.0:*:*:*:*:*:*:*

cpe:2.3:a:manageengine:applications_manager:13.0:*:*:*:*:*:*:*

EPSS

Процентиль: 89%

0.04398

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-89

Связанные уязвимости

GHSA-chxq-hg75-w349