Multiple SQL Injection Vulnerabilities in ManageEngine Password Manager Pro, PAM360 and Access Manager Plus

Severity : High

CVE ID : CVE-2022-40300

Details :
Multiple SQL Injection vulnerabilities (CVE-2022-40300) were discovered in Password Manager Pro, PAM360 and Access Manager Plus.

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
Password Manager Pro	12120 and below	12121	10-09-2022
PAM360	5550 and below	5600	11-09-2022
Access Manager Plus	4304 and below	4305	10-09-2022

We fixed the issue by adding proper validation and escaping special characters on the server side.

Impact:
These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request.

Steps to Upgrade:

1. Download the latest upgrade pack from the following links for the respective products:
   • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
   • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
   • Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com