CVE-2022-43671

Vulnerability

CVE-2022-43671 is an SQL injection vulnerability found in Zoho ManageEngine Password Manager Pro (versions 12121 and below), PAM360 (versions 5710 and below), and Access Manager Plus (versions 4305 and below). The flaw arises from improper validation of user-supplied input, allowing an attacker to inject arbitrary SQL queries into database interactions [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the affected product's web interface, typically requiring network access to the application but no prior authentication in many scenarios. The lack of proper input escaping enables the attacker to inject malicious SQL code through vulnerable parameters [1].

Impact

Successful exploitation allows an adversary to execute arbitrary SQL queries and access sensitive data stored in the database, including entries from tables that may contain credentials or other privileged information. The impact is limited to data confidentiality and integrity; the vulnerability does not directly enable remote code execution or privilege escalation [1].

Mitigation

Fixed versions are: Password Manager Pro 12122 (released 21 October 2022), PAM360 5711 (released 22 October 2022), and Access Manager Plus 4306 (released 23 October 2022). Users must upgrade to these versions immediately. No workaround is available; the vendor strongly recommends upgrading [1].