CVE-2014-8499
published 2014-11-17CVE-2014-8499: Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1…
PriorityP356medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
33.59%
98.2th percentile
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| manageengine | password_manager_pro | <= 7.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandupdate AaaAuthorizedRole set role_id=1 where account_id=;insert into ptrx_superadmin values (,true);↗
- →Monitor HTTP POST requests to /SQLAdvancedALSearchResult.cc and /AdvancedSearchResult.cc for SQL metacharacters or stacked queries in the SEARCH_ALL parameter. ↗
- →Detect privilege escalation attempts via SQL injection targeting the AaaAuthorizedRole and ptrx_superadmin tables in the ManageEngine PMP PostgreSQL backend. ↗
- →The exploit requires only a low-privileged guest account; alert on authenticated POST requests to the vulnerable endpoints from guest-tier accounts. ↗
- →The injection point uppercases injected strings and escapes single quotes with backslashes; look for double-escaped backslash sequences (\\\'') in SEARCH_ALL POST body values as an evasion indicator. ↗
- →This vulnerability is only exploitable via stacked queries on PostgreSQL backends; MySQL deployments are not exploitable by this attack path. Confirm backend type during triage. ↗
- →A Metasploit auxiliary module (manageengine_pmp_privesc) exists for this CVE; correlate IDS/WAF alerts with known Metasploit HTTP patterns against PMP endpoints. ↗
- ·Exploitation via stacked queries only works against PostgreSQL backends (default in PMP v6.8+). Older PMP installs upgraded from MySQL remain unexploitable via this specific technique even if running a vulnerable version number. ↗
- ·Affected version range is broad and not fully bounded; confirmed vulnerable from at least v6.5 up to v7.1 build 7104 on both Windows and Linux. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Password Manager Pro / Pro MSP - Blind SQL Injection
exploitdb·2014-11-10·CVSS 6.5
CVE-2014-8499 [MEDIUM] Password Manager Pro / Pro MSP - Blind SQL Injection
Password Manager Pro / Pro MSP - Blind SQL Injection
---
>> Authenticated blind SQL injection in Password Manager Pro / Pro MSP
>> Discovered by Pedro Ribeiro ([email protected]), Agile Information Security
Disclosure: 08/11/2014 / Last updated: 08/11/2014
>> Background on the affected products:
"Password Manager Pro (PMP) is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises."
>> Technical details:
PMP has a SQL injection vulnerability in its search function. A valid
user account is required to exploit the injection, however a low
privileged guest account is enough.
The application uses different database backends by default depending
on its version: versions =
6.8 use PostgreSQL. Single quotes are e
Metasploit
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
metasploit
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection
ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate privileges and obtain Super Administrator access. A Super Administrator can then use his privileges to dump the whole password database in CSV format. PMP can use both MySQL and PostgreSQL databases but this module only exploits the latter as MySQL does not support stacked queries with Java. PostgreSQL is the default database in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL, so a higher version does not guarantee exploitability. This module has been tested on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerabili
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/114484http://osvdb.org/show/osvdb/114485http://packetstormsecurity.com/files/129036/Password-Manager-Pro-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/18http://www.exploit-db.com/exploits/35210http://www.securityfocus.com/bid/71018https://exchange.xforce.ibmcloud.com/vulnerabilities/98595https://exchange.xforce.ibmcloud.com/vulnerabilities/98597https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txthttp://osvdb.org/show/osvdb/114484http://osvdb.org/show/osvdb/114485http://packetstormsecurity.com/files/129036/Password-Manager-Pro-SQL-Injection.htmlhttp://seclists.org/fulldisclosure/2014/Nov/18http://www.exploit-db.com/exploits/35210http://www.securityfocus.com/bid/71018https://exchange.xforce.ibmcloud.com/vulnerabilities/98595https://exchange.xforce.ibmcloud.com/vulnerabilities/98597https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt
2014-11-17
Published