CVE-2014-8499

Name of the Vulnerable Software and Affected Versions ManageEngine Password Manager Pro versions prior to 7.1 build 7105 ManageEngine Password Manager Pro Managed Service Providers edition versions prior to 7.1 build 7105

Description The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the SEARCH ALL parameter to specific files, including (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.

Recommendations For ManageEngine Password Manager Pro versions prior to 7.1 build 7105, update to version 7.1 build 7105 or later. For ManageEngine Password Manager Pro Managed Service Providers edition versions prior to 7.1 build 7105, update to version 7.1 build 7105 or later. As a temporary workaround, consider restricting access to the SEARCH ALL parameter in the affected API endpoints until a patch is available.