cbcvebase.
CVE-2014-8499
published 2014-11-17

CVE-2014-8499: Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1…

PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
33.59%
98.2th percentile
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.

Affected

1 ranges
VendorProductVersion rangeFixed in
manageenginepassword_manager_pro<= 7.1

Detection & IOCsextracted from sources · hover to see the quote

url/SQLAdvancedALSearchResult.cc
url/AdvancedSearchResult.cc
commandupdate AaaAuthorizedRole set role_id=1 where account_id=;insert into ptrx_superadmin values (,true);
otherSEARCH_ALL parameter
  • Monitor HTTP POST requests to /SQLAdvancedALSearchResult.cc and /AdvancedSearchResult.cc for SQL metacharacters or stacked queries in the SEARCH_ALL parameter.
  • Detect privilege escalation attempts via SQL injection targeting the AaaAuthorizedRole and ptrx_superadmin tables in the ManageEngine PMP PostgreSQL backend.
  • The exploit requires only a low-privileged guest account; alert on authenticated POST requests to the vulnerable endpoints from guest-tier accounts.
  • The injection point uppercases injected strings and escapes single quotes with backslashes; look for double-escaped backslash sequences (\\\'') in SEARCH_ALL POST body values as an evasion indicator.
  • This vulnerability is only exploitable via stacked queries on PostgreSQL backends; MySQL deployments are not exploitable by this attack path. Confirm backend type during triage.
  • A Metasploit auxiliary module (manageengine_pmp_privesc) exists for this CVE; correlate IDS/WAF alerts with known Metasploit HTTP patterns against PMP endpoints.
  • ·Exploitation via stacked queries only works against PostgreSQL backends (default in PMP v6.8+). Older PMP installs upgraded from MySQL remain unexploitable via this specific technique even if running a vulnerable version number.
  • ·Affected version range is broad and not fully bounded; confirmed vulnerable from at least v6.5 up to v7.1 build 7104 on both Windows and Linux.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.