CVE-2022-29081

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Access Manager Plus versions prior to 4302 Zoho ManageEngine Password Manager Pro versions prior to 12007 ManageEngine Privileged Access Manager 360 (PAM360) versions prior to 5401

Description The software solutions Zoho ManageEngine Access Manager Plus, Zoho ManageEngine Password Manager Pro, and ManageEngine Privileged Access Manager 360 (PAM360) are affected by an improper path restriction issue. This can allow a remote attacker to bypass security restrictions and gain unauthorized access to protected information. The issue relates to access control bypass on several Rest API URLs, including those for SSOutAction, SSLAction, LicenseMgr, GetProductDetails, GetDashboard, FetchEvents, and Synchronize, through the use of the '../RestAPI' substring.

Recommendations Zoho ManageEngine Access Manager Plus versions prior to 4302 should be updated. Zoho ManageEngine Password Manager Pro versions prior to 12007 should be updated. ManageEngine Privileged Access Manager 360 (PAM360) versions prior to 5401 should be updated.