Manage Engine Applications Manager 12 Multiple Vulnerabilities

Title: Manage Engine Applications Manager 12 Multiple Vulnerabilities
Advisory ID: ZSL-2016-5292
Type: Local/Remote
Impact: Cross-Site Scripting, Privilege Escalation
Risk: (3/5)
Release Date: 13.01.2016
Summary
ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers..
Description
Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation.
Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.com
Affected Version
12
Tested On
Apache-Coyote/1.1
PostgreSQL
Vendor Status
[22.10.2015] Contact with the vendor.
[23.10.2015] Vendor responded asking for details.
[23.10.2015] Advisory and details sent to vendor.
[03.11.2015] Follow up with the vendor. No response received.
[06.11.2015] Second follow up with the vendor. No response received.
[22.12.2015] Final follow up with the vendor. No response received.
[13.01.2016] Public security advisory released.
PoC
app_mgr_mv.txt
Credits
Vulnerability discovered by Bikramaditya Guha - <bik@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php
[2] https://cxsecurity.com/issue/WLB-2016010085
[3] https://www.exploit-db.com/exploits/39235/
[4] https://packetstormsecurity.com/files/135254
Changelog
[13.01.2016] - Initial release
[14.01.2016] - Added reference [2] and [3]
[16.01.2016] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk