CVE-2022-40300

CWE-89 — SQL Injection7 documents5 sources

Severity

9.8CRITICAL

EPSS

38.2%

top 2.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Access Manager Plus Zohocorp Manageengine Pam360 Zohocorp Manageengine Password Manager PRO

Timeline

PublishedSep 16

Latest updateDec 11

Description

Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 have multiple SQL injection vulnerabilities.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDzohocorp/manageengine_access_manager_plus4 versions+3

▶NVDzohocorp/manageengine_password_manager_pro50 versions+49

▶NVDzohocorp/manageengine_pam3609 versions+8

Patches

Patch: www.manageengine.com ↗Patch: www.manageengine.com ↗

🔴Vulnerability Details

GHSA

GHSA-mvcp-j3fp-64mm: Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 h↗2022-09-17

▶

CVEList

CVE-2022-40300: Zoho ManageEngine Password Manager Pro through 12120 before 12121, PAM360 through 5550 before 5600, and Access Manager Plus through 4304 before 4305 h↗2022-09-16

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Zoho ManageEngine Password Manager Pro SQL Injection (CVE-2022-40300)↗2025-12-11

▶

🕵️Threat Intelligence

Trendmicro

SQL Injection in ManageEngine Privileged Access Management↗2022-11-23

▶

Trendmicro

SQL Injection in ManageEngine Privileged Access Management↗2022-11-23

▶

Trendmicro

SQL Injection in ManageEngine Privileged Access Management↗2022-11-23

▶