CVE-2022-47523: Authenticated SQL Injection Vulnerability

This document addresses the vulnerability reported in the management component of RMM Central.

Severities: High

Update Released Build: 10.1.46

Update Released Date: 07/01/2023

What was the problem?

An authenticated SQL injection vulnerability in Management Component (CVE-2022-47523) was identified which may allow an adversary to execute custom queries and access the database table entries. This has now been fixed by enhancing validation and escaping special characters.

Affected versions: 10.1.45 and below

Credits and acknowledgments

This vulnerability was reported by nextheia.com via ManageEngine's Bug Bounty program.

How do I fix it?

These vulnerabilities have been fixed on January 7, 2023 and the mitigation is available in the build 10.1.46 with management build 10.1.2232.2.

Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the service pack page.

https://www.manageengine.com/remote-monitoring-management/service-packs.html

Help

For any further questions or concerns, please reach out to us at rmmcentral-support@manageengine.com