CVE-2022-47523 — SQL Injection in Manageengine Access Manager Plus

CWE-89 — SQL Injection CWE-79 — Cross-site Scripting4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

45.6%

top 2.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Access Manager Plus Zohocorp Manageengine Pam360 Zohocorp Manageengine Password Manager PRO

Timeline

PublishedJan 5

Description

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDzohocorp/manageengine_access_manager_plus< 4.3+1

▶NVDzohocorp/manageengine_password_manager_pro< 12.2+1

▶NVDzohocorp/manageengine_pam360< 5.8+1

Patches

Patch: www.manageengine.com ↗Patch: www.manageengine.com ↗

🔴Vulnerability Details

GHSA

GHSA-jw4x-gv7r-c358: Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection↗2023-01-05

▶

CVEList

CVE-2022-47523: Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection↗2023-01-05

▶