Headline
CVE-2022-47523: SQL Injection Vulnerability - CVE-2022-47523
Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.
Severity : High
CVE ID : CVE-2022-47523
Details :
An SQL Injection vulnerability (CVE-2022-47523) was discovered in Password Manager Pro, PAM360 and Access Manager Plus. We have fixed this issue by adding proper validation and escaping special characters.
Product Name
Affected Version(s)
Fixed Version(s)
Fixed On
Password Manager Pro
12200 and below
12210
30-12-2022
PAM360
5800 and below
5801
28-12-2022
Access Manager Plus
4308 and below
4309
29-12-2022
Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.
Impact :
This vulnerability can allow an adversary to execute custom queries, and access the database table entries using the vulnerable request.
Steps to Upgrade:
- Download the latest upgrade pack from the following links for the respective product:
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.
Please contact the product support for further details at the below mentioned email addresses:
PAM360: [email protected]
Password Manager Pro: [email protected]
Access Manager Plus: [email protected]
Related news
Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.
Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code. "An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP