Detections
Analytics

ManageEngine Applications Manager Invalid URL Remote Information Disclosure

medium Nessus Plugin ID 30056

Language:

Synopsis

The remote web server is running an application affected by an information disclosure vulnerability.

Description

The version of ManageEngine Applications Manager installed on the remote host is affected by an information disclosure vulnerability due to the application returning a summary of monitor groups and alerts in response to a request with an invalid URL. A remote attacker, using a URL with an invalid target location, can exploit this to access sensitive 'Home->Summary' information about the applications and services being monitored.

Note that this version may also be affected by several other information disclosure and cross-site scripting vulnerabilities, however Nessus did not explicitly check for these issues.

Solution

Contact the vendor for a patch or upgrade details.

See Also

http://www.nessus.org/u?7c7eb7e6

Plugin Details

Severity: Medium

ID: 30056

File Name: appmanager_404_info_disclosure.nasl

Version: 1.19

Type: remote

Family: CGI abuses

Published: 1/26/2008

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:manageengine:applications_manager

Required KB Items: installed_sw/ManageEngine Applications Manager

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 1/24/2008

Reference Information

CVE: CVE-2008-0475

BID: 27443

CWE: 20