Detections
Analytics

ManageEngine Password Manager Pro 6.5 < 7.1 Build 7105 Blind SQL Injection

medium Nessus Plugin ID 80960

Language:

Synopsis

The remote host is running a web application affected by a SQL injection vulnerability.

Description

The remote host is running a version of ManageEngine Password Manager Pro between 6.5 (inclusive) and 7.1 Build 7105. It is, therefore, affected by a blind SQL injection vulnerability due to a failure to validate the 'SEARCH_ALL' parameter.

Solution

Upgrade to ManageEngine Password Manager Pro version 7.1 build 7105 or later.

See Also

https://packetstormsecurity.com/files/129036

http://www.nessus.org/u?6b35a1c6

Plugin Details

Severity: Medium

ID: 80960

File Name: manageengine_pmp_7105.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 1/23/2015

Updated: 5/2/2022

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2014-8499

CVSS v3

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:manageengine:password_manager_pro

Required KB Items: installed_sw/ManageEngine Password Manager Pro

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/1/2015

Vulnerability Publication Date: 8/11/2014

Reference Information

CVE: CVE-2014-8499

BID: 71018