CVE-2016-9491

Name of the Vulnerable Software and Affected Versions ManageEngine Applications Manager versions 12 through 13 before build 13690

Description The issue allows an authenticated user, likely with administrative privileges, to browse the filesystem and read system files, including configuration and stored private keys, by accessing the "/register.do" page. This is possible because the Application Manager runs with administrative privileges by default, granting access to every directory on the underlying operating system.

Recommendations For ManageEngine Applications Manager versions 12 through 13 before build 13690, update to build 13690 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/register.do" page to minimize the risk of exploitation.