CVE-2016-9490

Name of the Vulnerable Software and Affected Versions ManageEngine Applications Manager versions 12 and 13 before build 13200

Description The issue is related to a Reflected Cross-Site Scripting problem. It affects the parameter LIMIT in the URL path "/DiagAlertAction.do?REQTYPE=AJAX&LIMIT=1233". This URL is accessible without authentication.

Recommendations For ManageEngine Applications Manager versions 12 and 13 before build 13200, update to build 13200 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/DiagAlertAction.do" endpoint and avoiding the use of the LIMIT parameter until the update is applied.