Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-40300: Multiple SQL Injection Vulnerabilities in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus(CVE-2022-40300)

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

CVE
#sql#vulnerability

Severity : High

CVE ID : CVE-2022-40300

Details :
Multiple SQL Injection vulnerabilities (CVE-2022-40300) were discovered in Password Manager Pro, PAM360 and Access Manager Plus.

Product Name

Affected Version(s)

Fixed Version(s)

Fixed On

Password Manager Pro

12120 and below

12121

10-09-2022

PAM360

5550 and below

5600

11-09-2022

Access Manager Plus

4304 and below

4305

10-09-2022

We fixed the issue by adding proper validation and escaping special characters on the server side.

Impact:
These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective products:
    • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
    • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
    • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: [email protected]

Password Manager Pro: [email protected]

Access Manager Plus: [email protected]

Related news

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907