In ManageEngine Applications Manager 12 and 13 before build 13200, an authenticated user is able to alter all of their own properties, including own group, i.e. changing their group to one with higher privileges like "ADMIN". A user is also able to change properties of another user, e.g. change another user's password.
References
Link | Resource |
---|---|
http://seclists.org/fulldisclosure/2017/Apr/9 | Mailing List Third Party Advisory |
https://www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9489.html | Vendor Advisory |
https://www.securityfocus.com/bid/97394/ | Third Party Advisory VDB Entry |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: certcc
Published: 2018-07-13T20:00:00
Updated: 2018-08-06T20:57:01
Reserved: 2016-11-21T00:00:00
Link: CVE-2016-9489
JSON object: View
NVD Information
Status : Modified
Published: 2018-07-13T20:29:01.550
Modified: 2019-10-09T23:20:31.740
Link: CVE-2016-9489
JSON object: View
Redhat Information
No data.