Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-43672: SQL Injection vulnerability in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus

Zoho ManageEngine Password Manager Pro before 12122, PAM360 before 5711, and Access Manager Plus before 4306 allow SQL Injection (in a different software component relative to CVE-2022-43671.

CVE
#sql#vulnerability

Severity : High

CVE ID :CVE-2022-43672

Details :
An SQL Injection vulnerability was discovered in Password Manager Pro, PAM360 and Access Manager Plus due to improper validation. This has been fixed now.

Product Name

Affected Version(s)

Fixed Version(s)

Fixed On

Password Manager Pro

12121 and below

12122

21-10-2022

PAM360

5710 and below

5711

22-10-2022

Access Manager Plus

4305 and below

4306

23-10-2022

An SQL Injection vulnerability was discovered in PAM360, Password Manager Pro and Access Manager Plus. To fix this, we have added proper validation and escaping special characters.

Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.

Impact:

This vulnerability can allow an adversary to execute custom queries, and access the database table entries using the vulnerable request.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective products:
    • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
    • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
    • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: [email protected]

Password Manager Pro: [email protected]

Access Manager Plus: [email protected]

Related news

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907