CVE-2022-47523

Vulnerability

Zoho ManageEngine Access Manager Plus before version 4309, Password Manager Pro before version 12210, and PAM360 before version 5801 are vulnerable to SQL injection in a vulnerable request [1]. The issue arises from insufficient input validation and lack of proper escaping of special characters, allowing an attacker to inject malicious SQL statements [1].

Exploitation

To exploit this vulnerability, an attacker needs to send a specially crafted request to the affected product. The attacker does not require authentication or any special network position; the vulnerable endpoint is accessible to any user who can interact with the application [1]. The exact request parameters and injection point are not publicly disclosed in the advisory, but the vendor states the issue allows execution of custom queries [1].

Impact

Successful exploitation allows an adversary to execute arbitrary SQL queries against the database and access database table entries [1]. This can lead to disclosure of sensitive information stored in the database, including privileged account credentials, configuration data, and other confidential information stored by the password management and privileged session management products. The impact is limited to data read access as the attack is described as SQL injection; however, the full scope of database access (read/write) is not detailed in the advisory.

Mitigation

The vendor has released fixed versions for all three products: Password Manager Pro version 12210 (fixed on 30 December 2022), PAM360 version 5801 (fixed on 28 December 2022), and Access Manager Plus version 4309 (fixed on 29 December 2022) [1]. Customers are strongly advised to upgrade to the latest build immediately [1]. There are no workarounds disclosed; the only mitigation is applying the upgrade packs available from the vendor's download links [1].