CVE-2015-5459

CWE-89 — SQL Injection4 documents4 sources

Severity

6.5MEDIUM

EPSS

0.8%

top 25.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Password Manager PRO

Timeline

PublishedJul 8

Latest updateMay 17

Description

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 8.0 | Impact: 6.4

Affected Packages1 packages

▶NVDzohocorp/manageengine_password_manager_pro8.1

Patches

Patch: www.manageengine.com ↗Patch: www.manageengine.com ↗

🔴Vulnerability Details

GHSA

GHSA-8r27-47c2-gr4x: SQL injection vulnerability in the AdvanceSearch↗2022-05-17

▶

CVEList

CVE-2015-5459: SQL injection vulnerability in the AdvanceSearch↗2015-07-08

▶

💬Community

HackerOne

PHP 5.4.45 is Outdated and Full of Preformance Interupting Arbitrary Code Execution Bugs↗2017-08-21

▶