CVE-2022-47523: 
Zoho ManageEngine Access Manager Plus vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2022-47523) was discovered in Zoho ManageEngine products including Password Manager Pro (versions 12200 and below), PAM360 (versions 5800 and below), and Access Manager Plus (versions 4308 and below). The vulnerability was disclosed in December 2022, with patches released between December 28-30, 2022 (ManageEngine Advisory, NVD).

The vulnerability exists due to improper validation of user-supplied input, allowing SQL injection attacks. The flaw received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD).

When exploited, this vulnerability allows an adversary to execute custom queries and access the database table entries using the vulnerable request. The attacker could potentially read or modify database contents, potentially exposing sensitive credential information stored in these password management systems (ManageEngine Advisory, Tenable Blog).

Zoho has released patches to address this vulnerability. Organizations should upgrade to the following fixed versions: Password Manager Pro version 12210, PAM360 version 5801, and Access Manager Plus version 4309. The vulnerability was fixed by adding proper validation and escaping special characters (ManageEngine Advisory).