SQL Injection Vulnerability in Password Manager Pro and PAM360

Severity : High

CVE ID : CVE-2024-5546

Details :
An SQL injection vulnerability was reported in Password Manager Pro and PAM360. This issue has been fixed and no longer exists in the latest version.

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
Password Manager Pro	Till 12430	12431	14-06-2024
PAM360	Till 7000	7001	14-06-2024

(Please note that this vulnerability applies to only those who have installed or upgraded to the above mentioned version)

Impact:
This vulnerability allows an adversary to execute custom queries, and access the database table entries using the vulnerable request. However the dual encryption mechanism ensures that the access to sensitive information like passwords remains restricted.

Given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of Password Manager Pro and PAM360 immediately.

Steps to Upgrade:

1. Download the latest upgrade pack from the following links
   • Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
   • PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Please contact the product support for further details at the below mentioned email addresses:

PAM360: pam360-support@manageengine.com

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com