Impact
The vulnerability described in the advisory is an authenticated SQL injection flaw in the query report module of Zohocorp’s ManageEngine PAM360 and Password Manager Pro. An attacker who has valid user credentials could input malicious SQL into the report query interface, causing the database engine to execute unintended commands. Because the flaw allows execution of arbitrary SQL statements, it potentially threatens the confidentiality and integrity of the data stored in the underlying database, such as stored passwords and audit records, though the description does not detail specific downstream effects.
Affected Systems
Affected systems include Zohocorp’s ManageEngine PAM360 versions earlier than 8531 and ManageEngine Password Manager Pro versions between 8600 and 13230 inclusive. The advisory indicates that the query report module must be accessed with authenticated credentials to trigger the injection possibility.
Risk and Exploitability
The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score of 1% indicates a low but non-zero probability of exploitation in the current landscape, and the flaw is not listed in the CISA KEV catalog. Based on the description, the attack vector is authenticated; an attacker needs a legitimate account that has permissions to use the query report module. Once authenticated, the attacker can run arbitrary SQL statements against the database, potentially enabling unauthorized data retrieval or modification.
OpenCVE Enrichment