SQL Injection vulnerability: CVE - 2022-27908, CVE-2022-29535

This document addresses an "SQL injection" vulnerability (CVE - 2022-27908, CVE-2022-29535) in ManageEngine RMM Central, reported by Anh Vu.

Severity: High

CVE ID: CVE-2022-27908, CVE-2022-29535

Affected version(s): Build 10.1.23 and below

Fixed version(s): Build 12.5.629

Fixed on: April 20, 2022

More Details

What was the problem?

It was possible to perform SQL injection in reports for the bview parameter (Business View filter parameter).

How do I fix it?

The issue can be fixed by upgrading your ManageEngine RMM Central to build 10.1.23 with monitoring instance to the versions 12.5.629 and above.

Upgrade to the last build from the URL given below.

https://www.manageengine.com/remote-monitoring-management/service-packs.html

 

If you need further help, please contact our support at ‌rmmcentral-support@manageengine.com

Keywords: Security Updates, Vulnerabilities and Fixes.