Zoho urges fixing a critical SQL Injection flaw in ManageEngine

Zoho is warning its customers of a critical vulnerability, tracked as CVE-2022-47523, affecting multiple ManageEngine products.

Zoho is urging its customers to address a critical SQL Injection vulnerability, tracked as CVE-2022-47523, that affects multiple ManageEngine products.

“This security advisory is to let you know that a high severity vulnerability was detected in ManageEngine Password Manager Pro.” reads the advisory published by Zoho. “An SQL Injection vulnerability(CVE-2022-47523) was discovered in Password Manager Pro.”

An attacker can trigger this vulnerability to execute custom queries, and access the database records using the vulnerable request.

The vendor addressed the flaw by adding proper validation and escaping special characters.

The flaw impacts Password Manager Pro, versions 12200 and below.

“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all the Password Manager Pro users to the backend database. It has now been fixed.” Zoho added.

Below are the steps to upgrade the installs:

• Download the latest upgrade pack from here.
• Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

In September, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw in Zoho ManageEngine, tracked as CVE-2022-35405 (CVSS score 9.8), to its Known Exploited Vulnerabilities Catalog.

The CVE-2022-35405 flaw is a remote code execution vulnerability that impacts ManageEngine PAM360, Password Manager Pro, and Access Manager Plus.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SQL Injection)

[adrotate banner=”5″]

[adrotate banner=”13″]