CVE-2022-43672

Vulnerability

CVE-2022-43672 is an SQL injection vulnerability discovered in Zoho ManageEngine Password Manager Pro (versions 12121 and below), PAM360 (versions 5710 and below), and Access Manager Plus (versions 4305 and below). The vulnerability exists due to improper validation of user-supplied input, allowing an attacker to inject malicious SQL queries through a vulnerable request. No authentication or special privileges are mentioned for this specific component, unlike the related CVE-2022-43671 [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the affected ManageEngine product. The lack of proper validation and escaping of special characters enables the injection of arbitrary SQL commands. The attacker does not require prior authentication, as the vulnerable code path is reachable from unauthenticated requests [1].

Impact

Successful exploitation allows an adversary to execute custom SQL queries and access database table entries. This can lead to unauthorized reading, modification, or deletion of sensitive data stored in the underlying database, including password vault contents and configuration information [1].

Mitigation

The vendor released fixed versions: Password Manager Pro 12122 (fixed on 2022-10-21), PAM360 5711 (fixed on 2022-10-22), and Access Manager Plus 4306 (fixed on 2022-10-23). Customers are strongly advised to upgrade to the latest build immediately. Upgrade packs are available from the respective product download pages [1].