Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2014-8499 — SQL Injection in Password Manager PRO

CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

74.9%

top 1.13%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Manageengine Password Manager PRO

Timeline

PublishedNov 17

Latest updateMay 17

Description

Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

▶NVDmanageengine/password_manager_pro7.1

🔴Vulnerability Details

GHSA

GHSA-4hv5-pvg9-j6v2: Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition bef↗2022-05-17

▶

CVEList

CVE-2014-8499: Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition bef↗2014-11-17

▶

💥Exploits & PoCs

Exploit-DB

Password Manager Pro / Pro MSP - Blind SQL Injection↗2014-11-10

▶