Business software provider Zoho has urged customers to patch a high-severity security flaw affecting multiple ManageEngine products.
The bug, tracked as CVE-2022-47523, is an SQL injection vulnerability found in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution.
Successful exploitation provides authenticated attackers with access to the backend database and allows them to execute custom queries to access database table entries.
“We identified a SQL injection vulnerability (CVE-2022-47523) in our internal framework that would grant access to all [..] users to the backend database,” Zoho said.
The company added that “given the severity of this vulnerability, customers are strongly advised to upgrade to the latest build of PAM360, Password Manager Pro and Access Manager Plus immediately.”
Zoho says it fixed the issue last month by escaping special characters and adding proper validation.