The affected components are Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. If a user has these software installed on their system, an attacker can exploit the vulnerability to gain access to sensitive data. In Zoho ManageEngine Password Manager Pro, an attacker can inject SQL commands into the system to obtain additional user data. In PAM360, an attacker can exploit the vulnerability to inject SQL commands to obtain additional data. Finally, in Access Manager Plus, the attacker can execute SQL commands that can extract data from the system. Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus are all enterprise software solutions. These are all widely used in organizations, and an attacker can exploit this vulnerability to gain access to sensitive data. An attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.
Zoho ManageEngine Password Manager Pro
Zoho ManageEngine Password Manager Pro is an enterprise software solution that has a large number of users. It is widely used in organizations, and an attacker can exploit this vulnerability to gain access to sensitive data. An attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.
In Zoho ManageEngine Password Manager Pro, an attacker can inject SQL commands into the system to obtain additional user data. In PAM360, an attacker can exploit the vulnerability to inject SQL commands to obtain additional data. Finally, in Access Manager Plus, the attacker can execute SQL commands that can extract data from the system. These are all enterprise software solutions that have been used for years in organizations across multiple industries with many different types of users.
Vulnerable Code
The vulnerable code is an input validation flaw in Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. An attacker can exploit this vulnerability to execute commands on the system by entering the following SQL statement into the input box:
SELECT * from usr_vw where uid='ZMMP' AND version=1
As shown in the affected components’ software, an attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.
Timeline
Published on: 11/12/2022 04:15:00 UTC
Last modified on: 11/16/2022 23:13:00 UTC