Headline
CVE-2022-40300: Multiple SQL Injection Vulnerabilities in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus(CVE-2022-40300)
Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.
Severity : High
CVE ID : CVE-2022-40300
Details :
Multiple SQL Injection vulnerabilities (CVE-2022-40300) were discovered in Password Manager Pro, PAM360 and Access Manager Plus.
Product Name
Affected Version(s)
Fixed Version(s)
Fixed On
Password Manager Pro
12120 and below
12121
10-09-2022
PAM360
5550 and below
5600
11-09-2022
Access Manager Plus
4304 and below
4305
10-09-2022
We fixed the issue by adding proper validation and escaping special characters on the server side.
Impact:
These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request.
Steps to Upgrade:
- Download the latest upgrade pack from the following links for the respective products:
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.
Please contact the product support for further details at the below mentioned email addresses:
PAM360: [email protected]
Password Manager Pro: [email protected]
Access Manager Plus: [email protected]
Related news
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.