This document addresses an "SQL injection" vulnerability (CVE - 2022-27908, CVE-2022-29535) in ManageEngine RMM Central, reported by Anh Vu.
Severity: High
CVE ID: CVE-2022-27908, CVE-2022-29535
Affected version(s): Build 10.1.23 and below
Fixed version(s): Build 12.5.629
Fixed on: April 20, 2022
More Details
It was possible to perform SQL injection in reports for the bview parameter (Business View filter parameter).
The issue can be fixed by upgrading your ManageEngine RMM Central to build 10.1.23 with monitoring instance to the versions 12.5.629 and above.
Upgrade to the last build from the URL given below.
https://www.manageengine.com/remote-monitoring-management/service-packs.html
If you need further help, please contact our support at rmmcentral-support@manageengine.com
Keywords: Security Updates, Vulnerabilities and Fixes.