CVE-2022-43672 In PAM360, Password Manager Pro, and Access Manager Plus, SQL Injection (CVE-2022-43671) was found in a different software component.

CVE-2022-43672 In PAM360, Password Manager Pro, and Access Manager Plus, SQL Injection (CVE-2022-43671) was found in a different software component.

The affected components are Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. If a user has these software installed on their system, an attacker can exploit the vulnerability to gain access to sensitive data. In Zoho ManageEngine Password Manager Pro, an attacker can inject SQL commands into the system to obtain additional user data. In PAM360, an attacker can exploit the vulnerability to inject SQL commands to obtain additional data. Finally, in Access Manager Plus, the attacker can execute SQL commands that can extract data from the system. Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus are all enterprise software solutions. These are all widely used in organizations, and an attacker can exploit this vulnerability to gain access to sensitive data.   An attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.

Zoho ManageEngine Password Manager Pro

Zoho ManageEngine Password Manager Pro is an enterprise software solution that has a large number of users. It is widely used in organizations, and an attacker can exploit this vulnerability to gain access to sensitive data. An attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.
In Zoho ManageEngine Password Manager Pro, an attacker can inject SQL commands into the system to obtain additional user data. In PAM360, an attacker can exploit the vulnerability to inject SQL commands to obtain additional data. Finally, in Access Manager Plus, the attacker can execute SQL commands that can extract data from the system. These are all enterprise software solutions that have been used for years in organizations across multiple industries with many different types of users.

Vulnerable Code

The vulnerable code is an input validation flaw in Zoho ManageEngine Password Manager Pro, PAM360, and Access Manager Plus. An attacker can exploit this vulnerability to execute commands on the system by entering the following SQL statement into the input box:
SELECT * from usr_vw where uid='ZMMP' AND version=1
As shown in the affected components’ software, an attacker must first gain access to a user’s system to exploit this vulnerability. When a user clicks on a malicious link on a website, downloads and installs a malicious software, or visits a malicious website, the attacker can exploit this vulnerability and obtain access to sensitive data.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe