Critical severity9.8NVD Advisory· Published Jun 5, 2018· Updated Jun 17, 2026
CVE-2016-9488
CVE-2016-9488
Description
ManageEngine Applications Manager versions 12 and 13 before build 13200 suffer from remote SQL injection vulnerabilities. An unauthenticated attacker is able to access the URL /servlet/MenuHandlerServlet, which is vulnerable to SQL injection. The attacker could extract users' password hashes, which are MD5 hashes without salt, and, depending on the database type and its configuration, could also execute operating system commands using SQL queries.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<13200+ 1 more
- (no CPE)range: <13200
- (no CPE)range: 12
Patches
Vulnerability mechanics
References
5- seclists.org/fulldisclosure/2017/Apr/9nvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/97394nvdThird Party AdvisoryVDB Entry
- packetstormsecurity.com/files/142022/ManageEngine-Applications-Manager-12-13-XSS-SQL-Injection-Code-Execution.htmlnvdThird Party AdvisoryVDB Entry
- packetstormsecurity.com/files/158554/ManageEngine-Applications-Manager-13-SQL-Injection.htmlnvd
- www.manageengine.com/products/applications_manager/security-updates/security-updates-cve-2016-9488.htmlnvd
News mentions
0No linked articles in our index yet.