SQL Injection Vulnerability in Zoho ManageEngine

Zoho releases a security update addressing an SQL injection vulnerability in Zoho Password Manager Pro, PAM360, and Access Manager Plus

Threat ID:: CC-4239
Threat Severity:: Medium
Published:: 5 January 2023 2:48 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Zoho releases a security update addressing an SQL injection vulnerability in Zoho Password Manager Pro, PAM360, and Access Manager Plus

Affected platforms

The following platforms are known to be affected:

Versions: 12200 and below

Zoho ManageEngine Password Manager Pro

Versions: 5800 and below

Zoho ManageEngine PAM360

Versions: 4308 and below

Zoho ManageEngine Access Manager Plus

Threat details

Introduction

Zoho has released a security update to address an SQL injection vulnerability affecting Zoho Password Manager Pro, PAM360, and Access Manager Plus. The vulnerability, tracked as CVE-2022-47523, is rated as High and could allow an attacker to execute custom queries and access the database table entries using the vulnerable request.

Remediation advice

Affected organisations are encouraged to review Zoho ManageEngine's security advisory CVE-2022-47523 and apply the necessary updates to the latest release.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2022-47523

Zoho ManageEngine Access Manager Plus before 4309, Password Manager Pro before 12210, and PAM360 before 5801 are vulnerable to SQL Injection.

Last edited: 5 January 2023 2:48 pm