Product NameAffected Version(s)Fixed Version(s)Fixed on
Access Manager Plus4305 and below430623/10/2022
Password Manager Pro12121 and below1212221/10/2022
PAM3605710 and below571122/10/2022

Details
1. SQL injection vulnerabilities. These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request.

2. Sensitive Information Disclosure was observed in personal password export in PAM360 and Password Manager Pro. This has been fixed by removing the exported file containing passwords from the server once the user has downloaded it

Impact
1. The SQL Injection vulnerabilities could allow adversaries to execute custom queries and access the database table entries using the vulnerable request.

2. Any user who has access to Password Manager Pro/PAM360 installation directory can view the exported personal data.

What should you do?

The latest version of Password Manager Pro, PAM360 and Access Manager Plus holds the recommended mitigation targeting the vulnerabilities. We recommend users upgrade to the latest build.

Steps to upgrade
Download the latest service pack from the following links provided below

Access Manager Plus
https://www.manageengine.com/privileged-session-management/upgradepack.html

PAM360
https://www.manageengine.com/privileged-access-management/upgradepack.html

Password Manager Pro
https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html

Apply the latest build to your existing product installation as per the upgrade pack instructions in the links provided above.

Important Note: Don’t forget to make a backup of your installation folder before you upgrade and keep the backup in a separate location. If anything goes wrong, you will have this copy as a backup which will keep all your settings intact. If you’re using an MS SQL server as the back-end database, back up the application database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

For more information or if you have any questions/concerns feel free to contact us

This article is relevant to:
IT SecurityManageEngineSecurity Advisory

You may be interested in these other recent articles

ManageEngine ServiceDesk Plus Cloud Build Release Information

20 June 2024

Summary details of the current Build Release information for ManageEngine ServiceDesk Plus Cloud Edition. All upgrades are performed by the Zoho Cloud team. Should you…

Read more

Security Advisory – Important Security Fix Released For ManageEngine Solutions

17 June 2024

Product Name Affected Version(s) Fixed Version Fixed on Password Manager Pro 12430 and below 12431 14/06/2024 PAM360 7000 and below 7001 14/06/2024 DetailsAn SQL injection…

Read more

ManageEngine ADSelfService Plus Build Release Information

14 June 2024

The current build release information for ManageEngine ADSelfService Plus is summarised below. Scroll down for more information. You can download the latest service packs here.…

Read more

ManageEngine Password Manager Pro Build Release Information

The current build release information for ManageEngine Password Manager Pro is summarised below. Scroll down for more information. You can download the latest service packs…

Read more

ManageEngine OpManager Build Release Information

13 June 2024

Summary details of the current build release information for ManageEngine OpManager. Scroll the above to view more release details. Download the latest service packs here.…

Read more