A high severity SQL injection vulnerability has been patched in recent updates for Zoho ManageEngine products Password Manager Pro, PAM360, and Access Manager Plus. The software provider released a security advisory for this vulnerability where they advised customers of all three affected products to upgrade to the latest versions immediately due to the severity of this vulnerability. An SQL injection attack can cause the data in the target database to be edited or completely destroyed, depending on the malicious code injected by an attacker.  

The high severity of this vulnerability is due to the access available to any unauthenticated user when exploited. An attacker could access the backend database through this flaw in the internal framework where they can then access database table entries by executing custom queries. Despite being assigned this high severity rating by ManageEngine, the vulnerability tracked as CVE-2022-47523 has not yet been given a CVSS base score by the National Vulnerability Database (NVD). The vulnerability exists due to a vulnerable request in the database, which has been patched in recent updates through the addition of proper validation and escaping special characters.  

To apply the new security patches users of Access Manager Plus should upgrade to fixed version 4309, PAM360 users should upgrade to version 5801, and Password Manager Pro users should upgrade to version 12.2 (12210) or (12211). An additional advisory has been released for ManageEngine Password Manager Pro customers, with additional details about how to protect user data when upgrading to a patched version of the product. ManageEngine advise that users backup their entire Passwords Manager Pro installation folder in a separate location before applying the upgrade, and additionally suggest a database backup for all MS SQL server users. The backups can then be deleted after a successful upgrade is completed.