Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-3997

CWE-89SQL Injection4 documents4 sources
Severity
7.5HIGH
EPSS
1.3%
top 20.35%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Zohocorp Manageengine It360Zohocorp Manageengine Password Manager PRO
Timeline
PublishedDec 5
Latest updateMay 14

Description

SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition 5 through 7 build 7003, IT360 and IT360 Managed Service Providers (MSP) edition before 10.3.3 build 10330, and possibly other ManageEngine products, allows remote attackers or remote authenticated users to execute arbitrary SQL commands via the sv parameter to MetadataServlet.dat.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

🔴Vulnerability Details

2
GHSA
GHSA-72w4-9phv-wp38: SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Provide2022-05-14
CVEList
CVE-2014-3997: SQL injection vulnerability in the MetadataServlet servlet in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Provide2014-12-05

💥Exploits & PoCs

1
Exploit-DB
ManageEngine Password Manager Pro / ManageEngine IT360 - SQL Injection2014-08-20
CVE-2014-3997 (HIGH CVSS 7.5) | SQL injection vulnerability in the | cvebase.io