← Advisories

Manage Engine Applications Manager 12 Multiple Vulnerabilities

Medium
Advisory ID
ZSL-2016-5292
Release Date
13 January 2016
Vendor
Zoho Corporation Pvt. Ltd. - https://www.manageengine.com
Affected Version
12
CVE
N/A
Tested On
Apache-Coyote/1.1, PostgreSQL
Summary

ManageEngine Applications Manager is an application performance monitoring solution that proactively monitors business applications and help businesses ensure their revenue-critical applications meet end user expectations. Applications Manager offers out-of-the-box monitoring support for 50+ applications and servers..

Description

Applications Manager suffers from multiple vulnerabilities including XSS, CSRF and Privilege Escalation.

Proof of Concept
app_mgr_mv.txtTXT
Disclosure Timeline
22.10.2015Contact with the vendor.
23.10.2015Vendor responded asking for details.
23.10.2015Advisory and details sent to vendor.
03.11.2015Follow up with the vendor. No response received.
06.11.2015Second follow up with the vendor. No response received.
22.12.2015Final follow up with the vendor. No response received.
13.01.2016Public security advisory released.
Credits
Vulnerability discovered by Bikramaditya Guha
References
[1]https://www.zeroscience.mk/#/advisories/ZSL-2016-5291
[2]https://cxsecurity.com/issue/WLB-2016010085
[3]https://www.exploit-db.com/exploits/39235/
[4]https://packetstormsecurity.com/files/135254
Changelog
13.01.2016Initial release
14.01.2016Added reference [2] and [3]
16.01.2016Added reference [4]