January 5, 2023

Following the discovery of a severe SQL injection (SQLi) vulnerability tagged CVE-2022-47523, enterprise software provider Zoho has urged customers to upgrade to the most recent versions of Access Manager Plus, PAM360, and Password Manager Pro.

Access Manager Plus versions 4308 and lower, PAM360 versions 5800 and lower, and Password Manager Pro versions 12200 and lower are all affected. It is of high severity and allows an adversary to execute custom queries and access database table entries via the vulnerable request. After successful exploitation, attackers have unauthenticated access to the backend database and can run custom queries to access database table entries.

Administrators and users of the affected product versions are urged to upgrade to the most recent versions as soon as possible. Zoho claims to have resolved the issue last month by escaping special characters and implementing proper validation.

According to the company, “given the severity of this vulnerability, customers are strongly advised to immediately upgrade to the latest build of PAM360, Password Manager Pro, and Access Manager Plus.”

Users are advised to download the latest upgrade pack for the product to upgrade and immediately patch the vulnerability. Then, follow the upgrade pack instructions in the above links to apply the latest build to the existing product installation.

The sources for this piece include an article in BleepingComputer.